1. 02 Oct, 2018 40 commits
    • Alexey Brodkin's avatar
      ARC: Explicitly add -mmedium-calls to CFLAGS · 074ee719
      Alexey Brodkin authored
      BugLink: https://bugs.launchpad.net/bugs/1792377
      
      [ Upstream commit 74c11e30 ]
      
      GCC built for arc*-*-linux has "-mmedium-calls" implicitly enabled by default
      thus we don't see any problems during Linux kernel compilation.
      ----------------------------->8------------------------
      arc-linux-gcc -mcpu=arc700 -Q --help=target | grep calls
        -mlong-calls                          [disabled]
        -mmedium-calls                        [enabled]
      ----------------------------->8------------------------
      
      But if we try to use so-called Elf32 toolchain with GCC configured for
      arc*-*-elf* then we'd see the following failure:
      ----------------------------->8------------------------
      init/do_mounts.o: In function 'init_rootfs':
      do_mounts.c:(.init.text+0x108): relocation truncated to fit: R_ARC_S21W_PCREL
      against symbol 'unregister_filesystem' defined in .text section in fs/filesystems.o
      
      arc-elf32-ld: final link failed: Symbol needs debug section which does not exist
      make: *** [vmlinux] Error 1
      ----------------------------->8------------------------
      
      That happens because neither "-mmedium-calls" nor "-mlong-calls" are enabled in
      Elf32 GCC:
      ----------------------------->8------------------------
      arc-elf32-gcc -mcpu=arc700 -Q --help=target | grep calls
        -mlong-calls                          [disabled]
        -mmedium-calls                        [disabled]
      ----------------------------->8------------------------
      
      Now to make it possible to use Elf32 toolchain for building Linux kernel
      we're explicitly add "-mmedium-calls" to CFLAGS.
      
      And since we add "-mmedium-calls" to the global CFLAGS there's no point in
      having per-file copies thus removing them.
      Signed-off-by: default avatarAlexey Brodkin <abrodkin@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      074ee719
    • Greg Kroah-Hartman's avatar
    • Kees Cook's avatar
      isdn: Disable IIOCDBGVAR · 3f9f63f5
      Kees Cook authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 5e22002a ]
      
      It was possible to directly leak the kernel address where the isdn_dev
      structure pointer was stored. This is a kernel ASLR bypass for anyone
      with access to the ioctl. The code had been present since the beginning
      of git history, though this shouldn't ever be needed for normal operation,
      therefore remove it.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      3f9f63f5
    • Sudip Mukherjee's avatar
      Bluetooth: avoid killing an already killed socket · 425c4ade
      Sudip Mukherjee authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 4e1a720d upstream.
      
      slub debug reported:
      
      [  440.648642] =============================================================================
      [  440.648649] BUG kmalloc-1024 (Tainted: G    BU     O   ): Poison overwritten
      [  440.648651] -----------------------------------------------------------------------------
      
      [  440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
      [  440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
      [  440.648671] 	___slab_alloc.constprop.24+0x1fc/0x292
      [  440.648675] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
      [  440.648677] 	__kmalloc+0xb6/0x17f
      [  440.648680] 	sk_prot_alloc+0x6b/0xc6
      [  440.648683] 	sk_alloc+0x1e/0xa1
      [  440.648700] 	sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
      [  440.648716] 	sco_connect_cfm+0x166/0x281 [bluetooth]
      [  440.648731] 	hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
      [  440.648746] 	hci_event_packet+0x28b/0x2326 [bluetooth]
      [  440.648759] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648764] 	process_one_work+0x163/0x2b2
      [  440.648767] 	worker_thread+0x1a9/0x25c
      [  440.648770] 	kthread+0xf8/0xfd
      [  440.648774] 	ret_from_fork+0x2e/0x38
      [  440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
      [  440.648782] 	__slab_free+0x4b/0x27a
      [  440.648784] 	kfree+0x12e/0x155
      [  440.648787] 	__sk_destruct+0xd3/0xdf
      [  440.648790] 	sk_destruct+0x27/0x29
      [  440.648793] 	__sk_free+0x75/0x91
      [  440.648795] 	sk_free+0x1c/0x1e
      [  440.648810] 	sco_sock_kill+0x5a/0x5f [bluetooth]
      [  440.648825] 	sco_conn_del+0x8e/0xba [bluetooth]
      [  440.648840] 	sco_disconn_cfm+0x3a/0x41 [bluetooth]
      [  440.648855] 	hci_event_packet+0x45e/0x2326 [bluetooth]
      [  440.648868] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648872] 	process_one_work+0x163/0x2b2
      [  440.648875] 	worker_thread+0x1a9/0x25c
      [  440.648877] 	kthread+0xf8/0xfd
      [  440.648880] 	ret_from_fork+0x2e/0x38
      [  440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x  (null) flags=0x40008100
      [  440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8
      
      When KASAN was enabled, it reported:
      
      [  210.096613] ==================================================================
      [  210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
      [  210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040
      
      [  210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G     U     O    4.14.47-20180606+ #2
      [  210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
      [  210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
      [  210.096698] Call Trace:
      [  210.096711]  dump_stack+0x46/0x59
      [  210.096722]  print_address_description+0x6b/0x23b
      [  210.096729]  ? ex_handler_refcount+0x5b/0x127
      [  210.096736]  kasan_report+0x220/0x246
      [  210.096744]  ex_handler_refcount+0x5b/0x127
      [  210.096751]  ? ex_handler_clear_fs+0x85/0x85
      [  210.096757]  fixup_exception+0x8c/0x96
      [  210.096766]  do_trap+0x66/0x2c1
      [  210.096773]  do_error_trap+0x152/0x180
      [  210.096781]  ? fixup_bug+0x78/0x78
      [  210.096817]  ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096824]  ? __schedule+0x113b/0x1453
      [  210.096830]  ? sysctl_net_exit+0xe/0xe
      [  210.096837]  ? __wake_up_common+0x343/0x343
      [  210.096843]  ? insert_work+0x107/0x163
      [  210.096850]  invalid_op+0x1b/0x40
      [  210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
      [  210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
      [  210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
      [  210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
      [  210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
      [  210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
      [  210.096920]  ? __sk_destruct+0x2c6/0x2d4
      [  210.096959]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.096969]  ? __local_bh_enable_ip+0x43/0x5b
      [  210.097004]  ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
      [  210.097039]  ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
      [  210.097075]  ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
      [  210.097093]  ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
      [  210.097102]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097109]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097115]  ? __update_load_avg_se.isra.2+0x217/0x3a4
      [  210.097122]  ? set_next_entity+0x7c3/0x12cd
      [  210.097128]  ? pick_next_entity+0x25e/0x26c
      [  210.097135]  ? pick_next_task_fair+0x2ca/0xc1a
      [  210.097141]  ? switch_mm_irqs_off+0x346/0xb4f
      [  210.097147]  ? __switch_to+0x769/0xbc4
      [  210.097153]  ? compat_start_thread+0x66/0x66
      [  210.097188]  ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
      [  210.097195]  ? finish_task_switch+0x392/0x431
      [  210.097228]  ? hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097260]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097269]  process_one_work+0x579/0x9e9
      [  210.097277]  worker_thread+0x68f/0x804
      [  210.097285]  kthread+0x31c/0x32b
      [  210.097292]  ? rescuer_thread+0x70c/0x70c
      [  210.097299]  ? kthread_create_on_node+0xa3/0xa3
      [  210.097306]  ret_from_fork+0x35/0x40
      
      [  210.097314] Allocated by task 2040:
      [  210.097323]  kasan_kmalloc.part.1+0x51/0xc7
      [  210.097328]  __kmalloc+0x17f/0x1b6
      [  210.097335]  sk_prot_alloc+0xf2/0x1a3
      [  210.097340]  sk_alloc+0x22/0x297
      [  210.097375]  sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
      [  210.097410]  sco_connect_cfm+0x2d0/0x566 [bluetooth]
      [  210.097443]  hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
      [  210.097476]  hci_event_packet+0x85e/0x7de2 [bluetooth]
      [  210.097507]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097512]  process_one_work+0x579/0x9e9
      [  210.097517]  worker_thread+0x68f/0x804
      [  210.097523]  kthread+0x31c/0x32b
      [  210.097529]  ret_from_fork+0x35/0x40
      
      [  210.097533] Freed by task 2040:
      [  210.097539]  kasan_slab_free+0xb3/0x15e
      [  210.097544]  kfree+0x103/0x1a9
      [  210.097549]  __sk_destruct+0x2c6/0x2d4
      [  210.097584]  sco_conn_del.isra.1+0xba/0x10e [bluetooth]
      [  210.097617]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.097648]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097653]  process_one_work+0x579/0x9e9
      [  210.097658]  worker_thread+0x68f/0x804
      [  210.097663]  kthread+0x31c/0x32b
      [  210.097670]  ret_from_fork+0x35/0x40
      
      [  210.097676] The buggy address belongs to the object at ffff880107e170e8
       which belongs to the cache kmalloc-1024 of size 1024
      [  210.097681] The buggy address is located 120 bytes inside of
       1024-byte region [ffff880107e170e8, ffff880107e174e8)
      [  210.097683] The buggy address belongs to the page:
      [  210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping:          (null) index:0xffff880107e15b68 compound_mapcount: 0
      [  210.110194] flags: 0x8000000000008100(slab|head)
      [  210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
      [  210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
      [  210.115451] page dumped because: kasan: bad access detected
      
      [  210.115454] Memory state around the buggy address:
      [  210.115460]  ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  210.115465]  ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
      [  210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115472]                                                        ^
      [  210.115477]  ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115481]  ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115483] ==================================================================
      
      And finally when BT_DBG() and ftrace was enabled it showed:
      
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_close
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_release
             <...>-14979 [001] ....   186.104192: sco_sock_kill: sk ef0497a0 state 9
             <...>-14979 [001] ....   186.104193: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104246: sco_sock_kill <-sco_conn_del
      kworker/u9:2-792   [001] ....   186.104248: sco_sock_kill: sk ef0497a0 state 9
      kworker/u9:2-792   [001] ....   186.104249: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct <-__sk_destruct
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct: sk ef0497a0
      kworker/u9:2-792   [001] ....   186.104860: hci_conn_del <-hci_event_packet
      kworker/u9:2-792   [001] ....   186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266
      
      Only in the failed case, sco_sock_kill() gets called with the same sock
      pointer two times. Add a check for SOCK_DEAD to avoid continue killing
      a socket which has already been killed.
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      425c4ade
    • Chen Hu's avatar
      serial: 8250_dw: always set baud rate in dw8250_set_termios · 4de4e060
      Chen Hu authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit dfcab6ba upstream.
      
      dw8250_set_termios() doesn't set baud rate if the arg "old ktermios" is
      NULL. This happens during resume.
      Call Trace:
      ...
      [   54.928108] dw8250_set_termios+0x162/0x170
      [   54.928114] serial8250_set_termios+0x17/0x20
      [   54.928117] uart_change_speed+0x64/0x160
      [   54.928119] uart_resume_port
      ...
      
      So the baud rate is not restored after S3 and breaks the apps who use
      UART, for example, console and bluetooth etc.
      
      We address this issue by setting the baud rate irrespective of arg
      "old", just like the drivers for other 8250 IPs. This is tested with
      Intel Broxton platform.
      Signed-off-by: default avatarChen Hu <hu1.chen@intel.com>
      Fixes: 4e26b134 ("serial: 8250_dw: clock rate handling for all ACPI platforms")
      Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      4de4e060
    • Willy Tarreau's avatar
      ACPI / PM: save NVS memory for ASUS 1025C laptop · 3be59835
      Willy Tarreau authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 231f9415 upstream.
      
      Every time I tried to upgrade my laptop from 3.10.x to 4.x I faced an
      issue by which the fan would run at full speed upon resume. Bisecting
      it showed me the issue was introduced in 3.17 by commit 821d6f03
      (ACPI / sleep: Do not save NVS for new machines to accelerate S3). This
      code only affects machines built starting as of 2012, but this Asus
      1025C laptop was made in 2012 and apparently needs the NVS data to be
      saved, otherwise the CPU's thermal state is not properly reported on
      resume and the fan runs at full speed upon resume.
      
      Here's a very simple way to check if such a machine is affected :
      
        # cat /sys/class/thermal/thermal_zone0/temp
        55000
      
        ( now suspend, wait one second and resume )
      
        # cat /sys/class/thermal/thermal_zone0/temp
        0
      
        (and after ~15 seconds the fan starts to spin)
      
      Let's apply the same quirk as commit cbc00c13 (ACPI: save NVS memory
      for Lenovo G50-45) and reuse the function it provides. Note that this
      commit was already backported to 4.9.x but not 4.4.x.
      
      Cc: 3.17+ <stable@vger.kernel.org> # 3.17+: requires cbc00c13Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      3be59835
    • Zhang Rui's avatar
      ACPI: save NVS memory for Lenovo G50-45 · 21e20ca0
      Zhang Rui authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit cbc00c13 upstream.
      
      In commit 821d6f03 (ACPI / sleep: Do not save NVS for new machines to
      accelerate S3), to optimize S3 suspend/resume speed, code is introduced
      to ignore NVS memory saving during S3 for all the platforms later than
      2012.
      
      But, Lenovo G50-45, a platform released in 2015, still needs NVS memory
      saving during S3. A quirk is introduced for this platform.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=189431Tested-by: default avatarPrzemek <soprwa@gmail.com>
      Signed-off-by: default avatarZhang Rui <rui.zhang@intel.com>
      [ rjw: Drop unnecessary code ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      21e20ca0
    • Aleksander Morgado's avatar
      USB: option: add support for DW5821e · d79e40ac
      Aleksander Morgado authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 7bab01ec upstream.
      
      The device exposes AT, NMEA and DIAG ports in both USB configurations.
      
      The patch explicitly ignores interfaces 0 and 1, as they're bound to
      other drivers already; and also interface 6, which is a GNSS interface
      for which we don't have a driver yet.
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 18 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      Signed-off-by: default avatarAleksander Morgado <aleksander@aleksander.es>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      d79e40ac
    • John Ogness's avatar
      USB: serial: sierra: fix potential deadlock at close · 0b9adee7
      John Ogness authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit e6087001 upstream.
      
      The portdata spinlock can be taken in interrupt context (via
      sierra_outdat_callback()).
      Disable interrupts when taking the portdata spinlock when discarding
      deferred URBs during close to prevent a possible deadlock.
      
      Fixes: 014333f7 ("USB: sierra: fix urb and memory leak on disconnect")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohn Ogness <john.ogness@linutronix.de>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      [ johan: amend commit message and add fixes and stable tags ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      0b9adee7
    • Takashi Iwai's avatar
      ALSA: vxpocket: Fix invalid endian conversions · 47b908c4
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 3acd3e3b upstream.
      
      The endian conversions used in vxp_dma_read() and vxp_dma_write() are
      superfluous and even wrong on big-endian machines, as inw() and outw()
      already do conversions.  Kill them.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      47b908c4
    • Takashi Iwai's avatar
      ALSA: memalloc: Don't exceed over the requested size · bf11ba28
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit dfef01e1 upstream.
      
      snd_dma_alloc_pages_fallback() tries to allocate pages again when the
      allocation fails with reduced size.  But the first try actually
      *increases* the size to power-of-two, which may give back a larger
      chunk than the requested size.  This confuses the callers, e.g. sgbuf
      assumes that the size is equal or less, and it may result in a bad
      loop due to the underflow and eventually lead to Oops.
      
      The code of this function seems incorrectly assuming the usage of
      get_order().  We need to decrease at first, then align to
      power-of-two.
      Reported-and-tested-by: default avatarhe, bo <bo.he@intel.com>
      Reported-by: default avatarzhang jun <jun.zhang@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      bf11ba28
    • Hans de Goede's avatar
      ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry · 7faf9708
      Hans de Goede authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 8e82a728 upstream.
      
      I added the subsys product-id for the HDMI HDA device rather then for
      the PCH one, this commit fixes this.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      7faf9708
    • Takashi Iwai's avatar
      ALSA: cs5535audio: Fix invalid endian conversion · 5195f323
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 69756930 upstream.
      
      One place in cs5535audio_build_dma_packets() does an extra conversion
      via cpu_to_le32(); namely jmpprd_addr is passed to setup_prd() ops,
      which writes the value via cs_writel().  That is, the callback does
      the conversion by itself, and we don't need to convert beforehand.
      
      This patch fixes that bogus conversion.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      5195f323
    • Takashi Iwai's avatar
      ALSA: virmidi: Fix too long output trigger loop · 34d56fab
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit 50e9ffb1 upstream.
      
      The virmidi output trigger tries to parse the all available bytes and
      process sequencer events as much as possible.  In a normal situation,
      this is supposed to be relatively short, but a program may give a huge
      buffer and it'll take a long time in a single spin lock, which may
      eventually lead to a soft lockup.
      
      This patch simply adds a workaround, a cond_resched() call in the loop
      if applicable.  A better solution would be to move the event processor
      into a work, but let's put a duct-tape quickly at first.
      Reported-and-tested-by: default avatarDae R. Jeong <threeearcat@gmail.com>
      Reported-by: syzbot+619d9f40141d826b097e@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      34d56fab
    • Takashi Iwai's avatar
      ALSA: vx222: Fix invalid endian conversions · e893da8c
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit fff71a4c upstream.
      
      The endian conversions used in vx2_dma_read() and vx2_dma_write() are
      superfluous and even wrong on big-endian machines, as inl() and outl()
      already do conversions.  Kill them.
      
      Spotted by sparse, a warning like:
        sound/pci/vx222/vx222_ops.c:278:30: warning: incorrect type in argument 1 (different base types)
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      e893da8c
    • Park Ju Hyung's avatar
      ALSA: hda - Turn CX8200 into D3 as well upon reboot · d5644a8c
      Park Ju Hyung authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit d77a4b4a upstream.
      
      As an equivalent codec with CX20724,
      CX8200 is also subject to the reboot bug.
      
      Late 2017 and 2018 LG Gram and some HP Spectre laptops are known victims
      to this issue, causing extremely loud noises upon reboot.
      
      Now that we know that this bug is subject to multiple codecs,
      fix the comment as well.
      Signed-off-by: default avatarPark Ju Hyung <qkrwngud825@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      d5644a8c
    • Park Ju Hyung's avatar
      ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs · f4983c79
      Park Ju Hyung authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      commit f59cf9a0 upstream.
      
      On rare occasions, we are still noticing that the internal speaker
      spitting out spurious noises even after adding the problematic codec
      to the list.
      
      Adding a 10ms artificial delay before rebooting fixes the issue entirely.
      
      Patch for Realtek codecs also adds the same amount of delay after
      entering D3.
      Signed-off-by: default avatarPark Ju Hyung <qkrwngud825@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      f4983c79
    • Hangbin Liu's avatar
      net_sched: fix NULL pointer dereference when delete tcindex filter · 3d4522e1
      Hangbin Liu authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 2df8bee5 ]
      
      Li Shuang reported the following crash:
      
      [   71.267724] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
      [   71.276456] PGD 800000085d9bd067 P4D 800000085d9bd067 PUD 859a0b067 PMD 0
      [   71.284127] Oops: 0000 [#1] SMP PTI
      [   71.288015] CPU: 12 PID: 2386 Comm: tc Not tainted 4.18.0-rc8.latest+ #131
      [   71.295686] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.1.5 04/11/2016
      [   71.304037] RIP: 0010:tcindex_delete+0x72/0x280 [cls_tcindex]
      [   71.310446] Code: 00 31 f6 48 87 75 20 48 85 f6 74 11 48 8b 47 18 48 8b 40 08 48 8b 40 50 e8 fb a6 f8 fc 48 85 db 0f 84 dc 00 00 00 48 8b 73 18 <8b> 56 04 48 8d 7e 04 85 d2 0f 84 7b 01 00
      [   71.331517] RSP: 0018:ffffb45207b3f898 EFLAGS: 00010282
      [   71.337345] RAX: ffff8ad3d72d6360 RBX: ffff8acc84393680 RCX: 000000000000002e
      [   71.345306] RDX: ffff8ad3d72c8570 RSI: 0000000000000000 RDI: ffff8ad847a45800
      [   71.353277] RBP: ffff8acc84393688 R08: ffff8ad3d72c8400 R09: 0000000000000000
      [   71.361238] R10: ffff8ad3de786e00 R11: 0000000000000000 R12: ffffb45207b3f8c7
      [   71.369199] R13: ffff8ad3d93bd2a0 R14: 000000000000002e R15: ffff8ad3d72c9600
      [   71.377161] FS:  00007f9d3ec3e740(0000) GS:ffff8ad3df980000(0000) knlGS:0000000000000000
      [   71.386188] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   71.392597] CR2: 0000000000000004 CR3: 0000000852f06003 CR4: 00000000001606e0
      [   71.400558] Call Trace:
      [   71.403299]  tcindex_destroy_element+0x25/0x40 [cls_tcindex]
      [   71.409611]  tcindex_walk+0xbb/0x110 [cls_tcindex]
      [   71.414953]  tcindex_destroy+0x44/0x90 [cls_tcindex]
      [   71.420492]  ? tcindex_delete+0x280/0x280 [cls_tcindex]
      [   71.426323]  tcf_proto_destroy+0x16/0x40
      [   71.430696]  tcf_chain_flush+0x51/0x70
      [   71.434876]  tcf_block_put_ext.part.30+0x8f/0x1b0
      [   71.440122]  tcf_block_put+0x4d/0x70
      [   71.444108]  cbq_destroy+0x4d/0xd0 [sch_cbq]
      [   71.448869]  qdisc_destroy+0x62/0x130
      [   71.452951]  dsmark_destroy+0x2a/0x70 [sch_dsmark]
      [   71.458300]  qdisc_destroy+0x62/0x130
      [   71.462373]  qdisc_graft+0x3ba/0x470
      [   71.466359]  tc_get_qdisc+0x2a6/0x2c0
      [   71.470443]  ? cred_has_capability+0x7d/0x130
      [   71.475307]  rtnetlink_rcv_msg+0x263/0x2d0
      [   71.479875]  ? rtnl_calcit.isra.30+0x110/0x110
      [   71.484832]  netlink_rcv_skb+0x4d/0x130
      [   71.489109]  netlink_unicast+0x1a3/0x250
      [   71.493482]  netlink_sendmsg+0x2ae/0x3a0
      [   71.497859]  sock_sendmsg+0x36/0x40
      [   71.501748]  ___sys_sendmsg+0x26f/0x2d0
      [   71.506029]  ? handle_pte_fault+0x586/0xdf0
      [   71.510694]  ? __handle_mm_fault+0x389/0x500
      [   71.515457]  ? __sys_sendmsg+0x5e/0xa0
      [   71.519636]  __sys_sendmsg+0x5e/0xa0
      [   71.523626]  do_syscall_64+0x5b/0x180
      [   71.527711]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   71.533345] RIP: 0033:0x7f9d3e257f10
      [   71.537331] Code: c3 48 8b 05 82 6f 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d 8d d0 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8
      [   71.558401] RSP: 002b:00007fff6f893398 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [   71.566848] RAX: ffffffffffffffda RBX: 000000005b71274d RCX: 00007f9d3e257f10
      [   71.574810] RDX: 0000000000000000 RSI: 00007fff6f8933e0 RDI: 0000000000000003
      [   71.582770] RBP: 00007fff6f8933e0 R08: 000000000000ffff R09: 0000000000000003
      [   71.590729] R10: 00007fff6f892e20 R11: 0000000000000246 R12: 0000000000000000
      [   71.598689] R13: 0000000000662ee0 R14: 0000000000000000 R15: 0000000000000000
      [   71.606651] Modules linked in: sch_cbq cls_tcindex sch_dsmark xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_coni
      [   71.685425]  libahci i2c_algo_bit i2c_core i40e libata dca mdio megaraid_sas dm_mirror dm_region_hash dm_log dm_mod
      [   71.697075] CR2: 0000000000000004
      [   71.700792] ---[ end trace f604eb1acacd978b ]---
      
      Reproducer:
      tc qdisc add dev lo handle 1:0 root dsmark indices 64 set_tc_index
      tc filter add dev lo parent 1:0 protocol ip prio 1 tcindex mask 0xfc shift 2
      tc qdisc add dev lo parent 1:0 handle 2:0 cbq bandwidth 10Mbit cell 8 avpkt 1000 mpu 64
      tc class add dev lo parent 2:0 classid 2:1 cbq bandwidth 10Mbit rate 1500Kbit avpkt 1000 prio 1 bounded isolated allot 1514 weight 1 maxburst 10
      tc filter add dev lo parent 2:0 protocol ip prio 1 handle 0x2e tcindex classid 2:1 pass_on
      tc qdisc add dev lo parent 2:1 pfifo limit 5
      tc qdisc del dev lo root
      
      This is because in tcindex_set_parms, when there is no old_r, we set new
      exts to cr.exts. And we didn't set it to filter when r == &new_filter_result.
      
      Then in tcindex_delete() -> tcf_exts_get_net(), we will get NULL pointer
      dereference as we didn't init exts.
      
      Fix it by moving tcf_exts_change() after "if (old_r && old_r != r)" check.
      Then we don't need "cr" as there is no errout after that.
      
      Fixes: bf63ac73 ("net_sched: fix an oops in tcindex filter")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      3d4522e1
    • Cong Wang's avatar
      vsock: split dwork to avoid reinitializations · 4d44e156
      Cong Wang authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 455f05ec ]
      
      syzbot reported that we reinitialize an active delayed
      work in vsock_stream_connect():
      
      	ODEBUG: init active (active state 0) object type: timer_list hint:
      	delayed_work_timer_fn+0x0/0x90 kernel/workqueue.c:1414
      	WARNING: CPU: 1 PID: 11518 at lib/debugobjects.c:329
      	debug_print_object+0x16a/0x210 lib/debugobjects.c:326
      
      The pattern is apparently wrong, we should only initialize
      the dealyed work once and could repeatly schedule it. So we
      have to move out the initializations to allocation side.
      And to avoid confusion, we can split the shared dwork
      into two, instead of re-using the same one.
      
      Fixes: d021c344 ("VSOCK: Introduce VM Sockets")
      Reported-by: <syzbot+8a9b1bd330476a4f3db6@syzkaller.appspotmail.com>
      Cc: Andy king <acking@vmware.com>
      Cc: Stefan Hajnoczi <stefanha@redhat.com>
      Cc: Jorgen Hansen <jhansen@vmware.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      4d44e156
    • Hangbin Liu's avatar
      net_sched: Fix missing res info when create new tc_index filter · efa4a50f
      Hangbin Liu authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 008369dc ]
      
      Li Shuang reported the following warn:
      
      [  733.484610] WARNING: CPU: 6 PID: 21123 at net/sched/sch_cbq.c:1418 cbq_destroy_class+0x5d/0x70 [sch_cbq]
      [  733.495190] Modules linked in: sch_cbq cls_tcindex sch_dsmark rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat l
      [  733.574155]  syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm igb ixgbe ahci libahci i2c_algo_bit libata i40e i2c_core dca mdio megaraid_sas dm_mirror dm_region_hash dm_log dm_mod
      [  733.592500] CPU: 6 PID: 21123 Comm: tc Not tainted 4.18.0-rc8.latest+ #131
      [  733.600169] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.1.5 04/11/2016
      [  733.608518] RIP: 0010:cbq_destroy_class+0x5d/0x70 [sch_cbq]
      [  733.614734] Code: e7 d9 d2 48 8b 7b 48 e8 61 05 da d2 48 8d bb f8 00 00 00 e8 75 ae d5 d2 48 39 eb 74 0a 48 89 df 5b 5d e9 16 6c 94 d2 5b 5d c3 <0f> 0b eb b6 0f 1f 44 00 00 66 2e 0f 1f 84
      [  733.635798] RSP: 0018:ffffbfbb066bb9d8 EFLAGS: 00010202
      [  733.641627] RAX: 0000000000000001 RBX: ffff9cdd17392800 RCX: 000000008010000f
      [  733.649588] RDX: ffff9cdd1df547e0 RSI: ffff9cdd17392800 RDI: ffff9cdd0f84c800
      [  733.657547] RBP: ffff9cdd0f84c800 R08: 0000000000000001 R09: 0000000000000000
      [  733.665508] R10: ffff9cdd0f84d000 R11: 0000000000000001 R12: 0000000000000001
      [  733.673469] R13: 0000000000000000 R14: 0000000000000001 R15: ffff9cdd17392200
      [  733.681430] FS:  00007f911890a740(0000) GS:ffff9cdd1f8c0000(0000) knlGS:0000000000000000
      [  733.690456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  733.696864] CR2: 0000000000b5544c CR3: 0000000859374002 CR4: 00000000001606e0
      [  733.704826] Call Trace:
      [  733.707554]  cbq_destroy+0xa1/0xd0 [sch_cbq]
      [  733.712318]  qdisc_destroy+0x62/0x130
      [  733.716401]  dsmark_destroy+0x2a/0x70 [sch_dsmark]
      [  733.721745]  qdisc_destroy+0x62/0x130
      [  733.725829]  qdisc_graft+0x3ba/0x470
      [  733.729817]  tc_get_qdisc+0x2a6/0x2c0
      [  733.733901]  ? cred_has_capability+0x7d/0x130
      [  733.738761]  rtnetlink_rcv_msg+0x263/0x2d0
      [  733.743330]  ? rtnl_calcit.isra.30+0x110/0x110
      [  733.748287]  netlink_rcv_skb+0x4d/0x130
      [  733.752576]  netlink_unicast+0x1a3/0x250
      [  733.756949]  netlink_sendmsg+0x2ae/0x3a0
      [  733.761324]  sock_sendmsg+0x36/0x40
      [  733.765213]  ___sys_sendmsg+0x26f/0x2d0
      [  733.769493]  ? handle_pte_fault+0x586/0xdf0
      [  733.774158]  ? __handle_mm_fault+0x389/0x500
      [  733.778919]  ? __sys_sendmsg+0x5e/0xa0
      [  733.783099]  __sys_sendmsg+0x5e/0xa0
      [  733.787087]  do_syscall_64+0x5b/0x180
      [  733.791171]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  733.796805] RIP: 0033:0x7f9117f23f10
      [  733.800791] Code: c3 48 8b 05 82 6f 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d 8d d0 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8
      [  733.821873] RSP: 002b:00007ffe96818398 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  733.830319] RAX: ffffffffffffffda RBX: 000000005b71244c RCX: 00007f9117f23f10
      [  733.838280] RDX: 0000000000000000 RSI: 00007ffe968183e0 RDI: 0000000000000003
      [  733.846241] RBP: 00007ffe968183e0 R08: 000000000000ffff R09: 0000000000000003
      [  733.854202] R10: 00007ffe96817e20 R11: 0000000000000246 R12: 0000000000000000
      [  733.862161] R13: 0000000000662ee0 R14: 0000000000000000 R15: 0000000000000000
      [  733.870121] ---[ end trace 28edd4aad712ddca ]---
      
      This is because we didn't update f->result.res when create new filter. Then in
      tcindex_delete() -> tcf_unbind_filter(), we will failed to find out the res
      and unbind filter, which will trigger the WARN_ON() in cbq_destroy_class().
      
      Fix it by updating f->result.res when create new filter.
      
      Fixes: 6e056569 ("net_sched: fix another crash in cls_tcindex")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      efa4a50f
    • Cong Wang's avatar
      llc: use refcount_inc_not_zero() for llc_sap_find() · 8f2c6365
      Cong Wang authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 0dcb8225 ]
      
      llc_sap_put() decreases the refcnt before deleting sap
      from the global list. Therefore, there is a chance
      llc_sap_find() could find a sap with zero refcnt
      in this global list.
      
      Close this race condition by checking if refcnt is zero
      or not in llc_sap_find(), if it is zero then it is being
      removed so we can just treat it as gone.
      
      Reported-by: <syzbot+278893f3f7803871f7ce@syzkaller.appspotmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      8f2c6365
    • Wei Wang's avatar
      l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache · dcab6499
      Wei Wang authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 6d37fa49 ]
      
      In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a
      UDP socket. User could call sendmsg() on both this tunnel and the UDP
      socket itself concurrently. As l2tp_xmit_skb() holds socket lock and call
      __sk_dst_check() to refresh sk->sk_dst_cache, while udpv6_sendmsg() is
      lockless and call sk_dst_check() to refresh sk->sk_dst_cache, there
      could be a race and cause the dst cache to be freed multiple times.
      So we fix l2tp side code to always call sk_dst_check() to garantee
      xchg() is called when refreshing sk->sk_dst_cache to avoid race
      conditions.
      
      Syzkaller reported stack trace:
      BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
      BUG: KASAN: use-after-free in atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
      BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:597 [inline]
      BUG: KASAN: use-after-free in dst_hold_safe include/net/dst.h:308 [inline]
      BUG: KASAN: use-after-free in ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029
      Read of size 4 at addr ffff8801aea9a880 by task syz-executor129/4829
      
      CPU: 0 PID: 4829 Comm: syz-executor129 Not tainted 4.18.0-rc7-next-20180802+ #30
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
       kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
       atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
       atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
       atomic_add_unless include/linux/atomic.h:597 [inline]
       dst_hold_safe include/net/dst.h:308 [inline]
       ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029
       rt6_get_pcpu_route net/ipv6/route.c:1249 [inline]
       ip6_pol_route+0x354/0xd20 net/ipv6/route.c:1922
       ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098
       fib6_rule_lookup+0x283/0x890 net/ipv6/fib6_rules.c:122
       ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126
       ip6_dst_lookup_tail+0x1278/0x1da0 net/ipv6/ip6_output.c:978
       ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079
       ip6_sk_dst_lookup_flow+0x5ed/0xc50 net/ipv6/ip6_output.c:1117
       udpv6_sendmsg+0x2163/0x36b0 net/ipv6/udp.c:1354
       inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:632
       ___sys_sendmsg+0x51d/0x930 net/socket.c:2115
       __sys_sendmmsg+0x240/0x6f0 net/socket.c:2210
       __do_sys_sendmmsg net/socket.c:2239 [inline]
       __se_sys_sendmmsg net/socket.c:2236 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x446a29
      Code: e8 ac b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f4de5532db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000446a29
      RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003
      RBP: 00000000006dcc30 R08: 00007f4de5533700 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
      R13: 00007ffe2b830fdf R14: 00007f4de55339c0 R15: 0000000000000001
      
      Fixes: 71b1391a ("l2tp: ensure sk->dst is still valid")
      Reported-by: syzbot+05f840f3b04f211bad55@syzkaller.appspotmail.com
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Cc: Guillaume Nault <g.nault@alphalink.fr>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      dcab6499
    • Alexey Kodanev's avatar
      dccp: fix undefined behavior with 'cwnd' shift in ccid2_cwnd_restart() · 5f8676a7
      Alexey Kodanev authored
      BugLink: https://bugs.launchpad.net/bugs/1792340
      
      [ Upstream commit 61ef4b07 ]
      
      The shift of 'cwnd' with '(now - hc->tx_lsndtime) / hc->tx_rto' value
      can lead to undefined behavior [1].
      
      In order to fix this use a gradual shift of the window with a 'while'
      loop, similar to what tcp_cwnd_restart() is doing.
      
      When comparing delta and RTO there is a minor difference between TCP
      and DCCP, the last one also invokes dccp_cwnd_restart() and reduces
      'cwnd' if delta equals RTO. That case is preserved in this change.
      
      [1]:
      [40850.963623] UBSAN: Undefined behaviour in net/dccp/ccids/ccid2.c:237:7
      [40851.043858] shift exponent 67 is too large for 32-bit type 'unsigned int'
      [40851.127163] CPU: 3 PID: 15940 Comm: netstress Tainted: G        W   E     4.18.0-rc7.x86_64 #1
      ...
      [40851.377176] Call Trace:
      [40851.408503]  dump_stack+0xf1/0x17b
      [40851.451331]  ? show_regs_print_info+0x5/0x5
      [40851.503555]  ubsan_epilogue+0x9/0x7c
      [40851.548363]  __ubsan_handle_shift_out_of_bounds+0x25b/0x2b4
      [40851.617109]  ? __ubsan_handle_load_invalid_value+0x18f/0x18f
      [40851.686796]  ? xfrm4_output_finish+0x80/0x80
      [40851.739827]  ? lock_downgrade+0x6d0/0x6d0
      [40851.789744]  ? xfrm4_prepare_output+0x160/0x160
      [40851.845912]  ? ip_queue_xmit+0x810/0x1db0
      [40851.895845]  ? ccid2_hc_tx_packet_sent+0xd36/0x10a0 [dccp]
      [40851.963530]  ccid2_hc_tx_packet_sent+0xd36/0x10a0 [dccp]
      [40852.029063]  dccp_xmit_packet+0x1d3/0x720 [dccp]
      [40852.086254]  dccp_write_xmit+0x116/0x1d0 [dccp]
      [40852.142412]  dccp_sendmsg+0x428/0xb20 [dccp]
      [40852.195454]  ? inet_dccp_listen+0x200/0x200 [dccp]
      [40852.254833]  ? sched_clock+0x5/0x10
      [40852.298508]  ? sched_clock+0x5/0x10
      [40852.342194]  ? inet_create+0xdf0/0xdf0
      [40852.388988]  sock_sendmsg+0xd9/0x160
      ...
      
      Fixes: 113ced1f ("dccp ccid-2: Perform congestion-window validation")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      5f8676a7
    • Greg Kroah-Hartman's avatar
    • Sean Christopherson's avatar
      x86/speculation/l1tf: Exempt zeroed PTEs from inversion · 03d4c503
      Sean Christopherson authored
      BugLink: https://bugs.launchpad.net/bugs/1792336
      
      commit f19f5c49 upstream.
      
      It turns out that we should *not* invert all not-present mappings,
      because the all zeroes case is obviously special.
      
      clear_page() does not undergo the XOR logic to invert the address bits,
      i.e. PTE, PMD and PUD entries that have not been individually written
      will have val=0 and so will trigger __pte_needs_invert(). As a result,
      {pte,pmd,pud}_pfn() will return the wrong PFN value, i.e. all ones
      (adjusted by the max PFN mask) instead of zero. A zeroed entry is ok
      because the page at physical address 0 is reserved early in boot
      specifically to mitigate L1TF, so explicitly exempt them from the
      inversion when reading the PFN.
      
      Manifested as an unexpected mprotect(..., PROT_NONE) failure when called
      on a VMA that has VM_PFNMAP and was mmap'd to as something other than
      PROT_NONE but never used. mprotect() sends the PROT_NONE request down
      prot_none_walk(), which walks the PTEs to check the PFNs.
      prot_none_pte_entry() gets the bogus PFN from pte_pfn() and returns
      -EACCES because it thinks mprotect() is trying to adjust a high MMIO
      address.
      
      [ This is a very modified version of Sean's original patch, but all
        credit goes to Sean for doing this and also pointing out that
        sometimes the __pte_needs_invert() function only gets the protection
        bits, not the full eventual pte.  But zero remains special even in
        just protection bits, so that's ok.   - Linus ]
      
      Fixes: f22cc87f ("x86/speculation/l1tf: Invert all not present mappings")
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Acked-by: default avatarAndi Kleen <ak@linux.intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      03d4c503
    • Greg Kroah-Hartman's avatar
    • Toshi Kani's avatar
      x86/mm: Add TLB purge to free pmd/pte page interfaces · d07c5c95
      Toshi Kani authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 5e0fb5df upstream.
      
      ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates
      a pud / pmd map.  The following preconditions are met at their entry.
       - All pte entries for a target pud/pmd address range have been cleared.
       - System-wide TLB purges have been peformed for a target pud/pmd address
         range.
      
      The preconditions assure that there is no stale TLB entry for the range.
      Speculation may not cache TLB entries since it requires all levels of page
      entries, including ptes, to have P & A-bits set for an associated address.
      However, speculation may cache pud/pmd entries (paging-structure caches)
      when they have P-bit set.
      
      Add a system-wide TLB purge (INVLPG) to a single page after clearing
      pud/pmd entry's P-bit.
      
      SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches,
      states that:
        INVLPG invalidates all paging-structure caches associated with the
        current PCID regardless of the liner addresses to which they correspond.
      
      Fixes: 28ee90fe ("x86/mm: implement free pmd/pte page interfaces")
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: cpandya@codeaurora.org
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-4-toshi.kani@hpe.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      d07c5c95
    • Chintan Pandya's avatar
      ioremap: Update pgtable free interfaces with addr · 4d401184
      Chintan Pandya authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 785a19f9 upstream.
      
      The following kernel panic was observed on ARM64 platform due to a stale
      TLB entry.
      
       1. ioremap with 4K size, a valid pte page table is set.
       2. iounmap it, its pte entry is set to 0.
       3. ioremap the same address with 2M size, update its pmd entry with
          a new value.
       4. CPU may hit an exception because the old pmd entry is still in TLB,
          which leads to a kernel panic.
      
      Commit b6bdb751 ("mm/vmalloc: add interfaces to free unmapped page
      table") has addressed this panic by falling to pte mappings in the above
      case on ARM64.
      
      To support pmd mappings in all cases, TLB purge needs to be performed
      in this case on ARM64.
      
      Add a new arg, 'addr', to pud_free_pmd_page() and pmd_free_pte_page()
      so that TLB purge can be added later in seprate patches.
      
      [toshi.kani@hpe.com: merge changes, rewrite patch description]
      Fixes: 28ee90fe ("x86/mm: implement free pmd/pte page interfaces")
      Signed-off-by: default avatarChintan Pandya <cpandya@codeaurora.org>
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-3-toshi.kani@hpe.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      4d401184
    • Mark Salyzyn's avatar
      Bluetooth: hidp: buffer overflow in hidp_process_report · 13ec537f
      Mark Salyzyn authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 7992c188 upstream.
      
      CVE-2018-9363
      
      The buffer length is unsigned at all layers, but gets cast to int and
      checked in hidp_process_report and can lead to a buffer overflow.
      Switch len parameter to unsigned int to resolve issue.
      
      This affects 3.18 and newer kernels.
      Signed-off-by: default avatarMark Salyzyn <salyzyn@android.com>
      Fixes: a4b1b587 ("HID: Bluetooth: hidp: make sure input buffers are big enough")
      Cc: Marcel Holtmann <marcel@holtmann.org>
      Cc: Johan Hedberg <johan.hedberg@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Kees Cook <keescook@chromium.org>
      Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
      Cc: linux-bluetooth@vger.kernel.org
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: security@kernel.org
      Cc: kernel-team@android.com
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      13ec537f
    • Thierry Escande's avatar
      ASoC: Intel: cht_bsw_max98090_ti: Fix jack initialization · 1605223a
      Thierry Escande authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 3bbda5a3 upstream.
      
      If the ts3a227e audio accessory detection hardware is present and its
      driver probed, the jack needs to be created before enabling jack
      detection in the ts3a227e driver. With this patch, the jack is
      instantiated in the max98090 headset init function if the ts3a227e is
      present. This fixes a null pointer dereference as the jack detection
      enabling function in the ts3a driver was called before the jack is
      created.
      
      [minor correction to keep error handling on jack creation the same
      as before by Pierre Bossart]
      Signed-off-by: default avatarThierry Escande <thierry.escande@collabora.com>
      Signed-off-by: default avatarPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Acked-By: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      1605223a
    • Eric Biggers's avatar
      crypto: ablkcipher - fix crash flushing dcache in error path · ebfbb75c
      Eric Biggers authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 318abdfb upstream.
      
      Like the skcipher_walk and blkcipher_walk cases:
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      ablkcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing ablkcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: bf06099d ("crypto: skcipher - Add ablkcipher_walk interfaces")
      Cc: <stable@vger.kernel.org> # v2.6.35+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      ebfbb75c
    • Eric Biggers's avatar
      crypto: blkcipher - fix crash flushing dcache in error path · 3c6b64e9
      Eric Biggers authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 0868def3 upstream.
      
      Like the skcipher_walk case:
      
      scatterwalk_done() is only meant to be called after a nonzero number of
      bytes have been processed, since scatterwalk_pagedone() will flush the
      dcache of the *previous* page.  But in the error case of
      blkcipher_walk_done(), e.g. if the input wasn't an integer number of
      blocks, scatterwalk_done() was actually called after advancing 0 bytes.
      This caused a crash ("BUG: unable to handle kernel paging request")
      during '!PageSlab(page)' on architectures like arm and arm64 that define
      ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE, provided that the input was
      page-aligned as in that case walk->offset == 0.
      
      Fix it by reorganizing blkcipher_walk_done() to skip the
      scatterwalk_advance() and scatterwalk_done() if an error has occurred.
      
      This bug was found by syzkaller fuzzing.
      
      Reproducer, assuming ARCH_IMPLEMENTS_FLUSH_DCACHE_PAGE:
      
      	#include <linux/if_alg.h>
      	#include <sys/socket.h>
      	#include <unistd.h>
      
      	int main()
      	{
      		struct sockaddr_alg addr = {
      			.salg_type = "skcipher",
      			.salg_name = "ecb(aes-generic)",
      		};
      		char buffer[4096] __attribute__((aligned(4096))) = { 0 };
      		int fd;
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, buffer, 16);
      		fd = accept(fd, NULL, NULL);
      		write(fd, buffer, 15);
      		read(fd, buffer, 15);
      	}
      Reported-by: default avatarLiu Chao <liuchao741@huawei.com>
      Fixes: 5cde0af2 ("[CRYPTO] cipher: Added block cipher type")
      Cc: <stable@vger.kernel.org> # v2.6.19+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      3c6b64e9
    • Eric Biggers's avatar
      crypto: vmac - separate tfm and request context · f612f9d5
      Eric Biggers authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit bb296481 upstream.
      
      syzbot reported a crash in vmac_final() when multiple threads
      concurrently use the same "vmac(aes)" transform through AF_ALG.  The bug
      is pretty fundamental: the VMAC template doesn't separate per-request
      state from per-tfm (per-key) state like the other hash algorithms do,
      but rather stores it all in the tfm context.  That's wrong.
      
      Also, vmac_final() incorrectly zeroes most of the state including the
      derived keys and cached pseudorandom pad.  Therefore, only the first
      VMAC invocation with a given key calculates the correct digest.
      
      Fix these bugs by splitting the per-tfm state from the per-request state
      and using the proper init/update/final sequencing for requests.
      
      Reproducer for the crash:
      
          #include <linux/if_alg.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          int main()
          {
                  int fd;
                  struct sockaddr_alg addr = {
                          .salg_type = "hash",
                          .salg_name = "vmac(aes)",
                  };
                  char buf[256] = { 0 };
      
                  fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
                  bind(fd, (void *)&addr, sizeof(addr));
                  setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
                  fork();
                  fd = accept(fd, NULL, NULL);
                  for (;;)
                          write(fd, buf, 256);
          }
      
      The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
      VMAC_NHBYTES, causing vmac_final() to memset() a negative length.
      
      Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
      Fixes: f1939f7c ("crypto: vmac - New hash algorithm for intel_txt support")
      Cc: <stable@vger.kernel.org> # v2.6.32+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      f612f9d5
    • Eric Biggers's avatar
      crypto: vmac - require a block cipher with 128-bit block size · 60d8e5b5
      Eric Biggers authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 73bf20ef upstream.
      
      The VMAC template assumes the block cipher has a 128-bit block size, but
      it failed to check for that.  Thus it was possible to instantiate it
      using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
      uninitialized memory to be used.
      
      Add the needed check when instantiating the template.
      
      Fixes: f1939f7c ("crypto: vmac - New hash algorithm for intel_txt support")
      Cc: <stable@vger.kernel.org> # v2.6.32+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      60d8e5b5
    • Randy Dunlap's avatar
      kbuild: verify that $DEPMOD is installed · 8ba7da35
      Randy Dunlap authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 934193a6 upstream.
      
      Verify that 'depmod' ($DEPMOD) is installed.
      This is a partial revert of commit 620c231c
      ("kbuild: do not check for ancient modutils tools").
      
      Also update Documentation/process/changes.rst to refer to
      kmod instead of module-init-tools.
      
      Fixes kernel bugzilla #198965:
      https://bugzilla.kernel.org/show_bug.cgi?id=198965Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
      Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
      Cc: stable@vger.kernel.org # any kernel since 2012
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      8ba7da35
    • Liwei Song's avatar
      i2c: ismt: fix wrong device address when unmap the data buffer · e8c2edb5
      Liwei Song authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 17e83549 upstream.
      
      Fix the following kernel bug:
      
      kernel BUG at drivers/iommu/intel-iommu.c:3260!
      invalid opcode: 0000 [#5] PREEMPT SMP
      Hardware name: Intel Corp. Harcuvar/Server, BIOS HAVLCRB0.X64.0013.D39.1608311820 08/31/2016
      task: ffff880175389950 ti: ffff880176bec000 task.ti: ffff880176bec000
      RIP: 0010:[<ffffffff8150a83b>]  [<ffffffff8150a83b>] intel_unmap+0x25b/0x260
      RSP: 0018:ffff880176bef5e8  EFLAGS: 00010296
      RAX: 0000000000000024 RBX: ffff8800773c7c88 RCX: 000000000000ce04
      RDX: 0000000080000000 RSI: 0000000000000000 RDI: 0000000000000009
      RBP: ffff880176bef638 R08: 0000000000000010 R09: 0000000000000004
      R10: ffff880175389c78 R11: 0000000000000a4f R12: ffff8800773c7868
      R13: 00000000ffffac88 R14: ffff8800773c7818 R15: 0000000000000001
      FS:  00007fef21258700(0000) GS:ffff88017b5c0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 000000000066d6d8 CR3: 000000007118c000 CR4: 00000000003406e0
      Stack:
       00000000ffffac88 ffffffff8199867f ffff880176bef5f8 ffff880100000030
       ffff880176bef668 ffff8800773c7c88 ffff880178288098 ffff8800772c0010
       ffff8800773c7818 0000000000000001 ffff880176bef648 ffffffff8150a86e
      Call Trace:
       [<ffffffff8199867f>] ? printk+0x46/0x48
       [<ffffffff8150a86e>] intel_unmap_page+0xe/0x10
       [<ffffffffa039d99b>] ismt_access+0x27b/0x8fa [i2c_ismt]
       [<ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
       [<ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
       [<ffffffff81554420>] ? __pm_runtime_suspend+0xa0/0xa0
       [<ffffffff815544a0>] ? pm_suspend_timer_fn+0x80/0x80
       [<ffffffff8143dfd0>] ? pci_bus_read_dev_vendor_id+0xf0/0xf0
       [<ffffffff8172b36c>] i2c_smbus_xfer+0xec/0x4b0
       [<ffffffff810aa4d5>] ? vprintk_emit+0x345/0x530
       [<ffffffffa038936b>] i2cdev_ioctl_smbus+0x12b/0x240 [i2c_dev]
       [<ffffffff810aa829>] ? vprintk_default+0x29/0x40
       [<ffffffffa0389b33>] i2cdev_ioctl+0x63/0x1ec [i2c_dev]
       [<ffffffff811b04c8>] do_vfs_ioctl+0x328/0x5d0
       [<ffffffff8119d8ec>] ? vfs_write+0x11c/0x190
       [<ffffffff8109d449>] ? rt_up_read+0x19/0x20
       [<ffffffff811b07f1>] SyS_ioctl+0x81/0xa0
       [<ffffffff819a351b>] system_call_fastpath+0x16/0x6e
      
      This happen When run "i2cdetect -y 0" detect SMBus iSMT adapter.
      
      After finished I2C block read/write, when unmap the data buffer,
      a wrong device address was pass to dma_unmap_single().
      
      To fix this, give dma_unmap_single() the "dev" parameter, just like
      what dma_map_single() does, then unmap can find the right devices.
      
      Fixes: 13f35ac1 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller")
      Signed-off-by: default avatarLiwei Song <liwei.song@windriver.com>
      Reviewed-by: default avatarAndy Shevchenko <andy.shevchenko@gmail.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      e8c2edb5
    • Andrey Konovalov's avatar
      kasan: don't emit builtin calls when sanitization is off · 999cf896
      Andrey Konovalov authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit 0e410e15 upstream.
      
      With KASAN enabled the kernel has two different memset() functions, one
      with KASAN checks (memset) and one without (__memset).  KASAN uses some
      macro tricks to use the proper version where required.  For example
      memset() calls in mm/slub.c are without KASAN checks, since they operate
      on poisoned slab object metadata.
      
      The issue is that clang emits memset() calls even when there is no
      memset() in the source code.  They get linked with improper memset()
      implementation and the kernel fails to boot due to a huge amount of KASAN
      reports during early boot stages.
      
      The solution is to add -fno-builtin flag for files with KASAN_SANITIZE :=
      n marker.
      
      Link: http://lkml.kernel.org/r/8ffecfffe04088c52c42b92739c2bd8a0bcb3f5e.1516384594.git.andreyknvl@google.comSigned-off-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      [ Nick : Backported to 4.4 avoiding KUBSAN ]
      Signed-off-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      999cf896
    • Takashi Iwai's avatar
      tcp: Fix missing range_truesize enlargement in the backport · 11554a2d
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      The 4.4.y stable backport dc6ae4df for the upstream commit
      3d4bf93a ("tcp: detect malicious patterns in
      tcp_collapse_ofo_queue()") missed a line that enlarges the
      range_truesize value, which broke the whole check.
      
      Fixes: dc6ae4df ("tcp: detect malicious patterns in tcp_collapse_ofo_queue()")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Cc: Michal Kubecek <mkubecek@suse.cz>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      11554a2d
    • Toshi Kani's avatar
      x86/mm: Disable ioremap free page handling on x86-PAE · b0f51542
      Toshi Kani authored
      BugLink: https://bugs.launchpad.net/bugs/1792310
      
      commit f967db0b upstream.
      
      ioremap() supports pmd mappings on x86-PAE.  However, kernel's pmd
      tables are not shared among processes on x86-PAE.  Therefore, any
      update to sync'd pmd entries need re-syncing.  Freeing a pte page
      also leads to a vmalloc fault and hits the BUG_ON in vmalloc_sync_one().
      
      Disable free page handling on x86-PAE.  pud_free_pmd_page() and
      pmd_free_pte_page() simply return 0 if a given pud/pmd entry is present.
      This assures that ioremap() does not update sync'd pmd entries at the
      cost of falling back to pte mappings.
      
      Fixes: 28ee90fe ("x86/mm: implement free pmd/pte page interfaces")
      Reported-by: default avatarJoerg Roedel <joro@8bytes.org>
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: cpandya@codeaurora.org
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-2-toshi.kani@hpe.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      b0f51542
    • Greg Kroah-Hartman's avatar