1. 16 Feb, 2018 40 commits
    • Mika Westerberg's avatar
      ahci: Add Intel Cannon Lake PCH-H PCI ID · 1f16aea4
      Mika Westerberg authored
      commit f919dde0 upstream.
      
      Add Intel Cannon Lake PCH-H PCI ID to the list of supported controllers.
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1f16aea4
    • Hans de Goede's avatar
      ahci: Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI · cbf32c1e
      Hans de Goede authored
      commit 998008b7 upstream.
      
      Add PCI ids for Intel Bay Trail, Cherry Trail and Apollo Lake AHCI
      SATA controllers. This commit is a preparation patch for allowing a
      different default sata link powermanagement policy for mobile chipsets.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbf32c1e
    • Hans de Goede's avatar
      ahci: Annotate PCI ids for mobile Intel chipsets as such · 769e7b5f
      Hans de Goede authored
      commit ca1b4974 upstream.
      
      Intel uses different SATA PCI ids for the Desktop and Mobile SKUs of their
      chipsets. For older models the comment describing which chipset the PCI id
      is for, aksi indicates when we're dealing with a mobile SKU. Extend the
      comments for recent chipsets to also indicate mobile SKUs.
      
      The information this commit adds comes from Intel's chipset datasheets.
      
      This commit is a preparation patch for allowing a different default
      sata link powermanagement policy for mobile chipsets.
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      769e7b5f
    • Ivan Vecera's avatar
      kernfs: fix regression in kernfs_fop_write caused by wrong type · f1db1b80
      Ivan Vecera authored
      commit ba87977a upstream.
      
      Commit b7ce40cf ("kernfs: cache atomic_write_len in
      kernfs_open_file") changes type of local variable 'len' from ssize_t
      to size_t. This change caused that the *ppos value is updated also
      when the previous write callback failed.
      
      Mentioned snippet:
      ...
      len = ops->write(...); <- return value can be negative
      ...
      if (len > 0)           <- true here in this case
              *ppos += len;
      ...
      
      Fixes: b7ce40cf ("kernfs: cache atomic_write_len in kernfs_open_file")
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarIvan Vecera <ivecera@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1db1b80
    • Eric Biggers's avatar
      NFS: reject request for id_legacy key without auxdata · fb8b1685
      Eric Biggers authored
      commit 49686cbb upstream.
      
      nfs_idmap_legacy_upcall() is supposed to be called with 'aux' pointing
      to a 'struct idmap', via the call to request_key_with_auxdata() in
      nfs_idmap_request_key().
      
      However it can also be reached via the request_key() system call in
      which case 'aux' will be NULL, causing a NULL pointer dereference in
      nfs_idmap_prepare_pipe_upcall(), assuming that the key description is
      valid enough to get that far.
      
      Fix this by making nfs_idmap_legacy_upcall() negate the key if no
      auxdata is provided.
      
      As usual, this bug was found by syzkaller.  A simple reproducer using
      the command-line keyctl program is:
      
          keyctl request2 id_legacy uid:0 '' @s
      
      Fixes: 57e62324 ("NFS: Store the legacy idmapper result in the keyring")
      Reported-by: syzbot+5dfdbcf7b3eb5912abbb@syzkaller.appspotmail.com
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarTrond Myklebust <trondmy@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb8b1685
    • J. Bruce Fields's avatar
      NFS: commit direct writes even if they fail partially · ae0499e7
      J. Bruce Fields authored
      commit 1b8d97b0 upstream.
      
      If some of the WRITE calls making up an O_DIRECT write syscall fail,
      we neglect to commit, even if some of the WRITEs succeed.
      
      We also depend on the commit code to free the reference count on the
      nfs_page taken in the "if (request_commit)" case at the end of
      nfs_direct_write_completion().  The problem was originally noticed
      because ENOSPC's encountered partway through a write would result in a
      closed file being sillyrenamed when it should have been unlinked.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae0499e7
    • Trond Myklebust's avatar
      NFS: Add a cond_resched() to nfs_commit_release_pages() · 79e10b1a
      Trond Myklebust authored
      commit 7f1bda44 upstream.
      
      The commit list can get very large, and so we need a cond_resched()
      in nfs_commit_release_pages() in order to ensure we don't hog the CPU
      for excessive periods of time.
      Reported-by: default avatarMike Galbraith <efault@gmx.de>
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      79e10b1a
    • Scott Mayhew's avatar
      nfs/pnfs: fix nfs_direct_req ref leak when i/o falls back to the mds · 7406be05
      Scott Mayhew authored
      commit ba4a76f7 upstream.
      
      Currently when falling back to doing I/O through the MDS (via
      pnfs_{read|write}_through_mds), the client frees the nfs_pgio_header
      without releasing the reference taken on the dreq
      via pnfs_generic_pg_{read|write}pages -> nfs_pgheader_init ->
      nfs_direct_pgio_init.  It then takes another reference on the dreq via
      nfs_generic_pg_pgios -> nfs_pgheader_init -> nfs_direct_pgio_init and
      as a result the requester will become stuck in inode_dio_wait.  Once
      that happens, other processes accessing the inode will become stuck as
      well.
      
      Ensure that pnfs_read_through_mds() and pnfs_write_through_mds() clean
      up correctly by calling hdr->completion_ops->completion() instead of
      calling hdr->release() directly.
      
      This can be reproduced (sometimes) by performing "storage failover
      takeover" commands on NetApp filer while doing direct I/O from a client.
      
      This can also be reproduced using SystemTap to simulate a failure while
      doing direct I/O from a client (from Dave Wysochanski
      <dwysocha@redhat.com>):
      
      stap -v -g -e 'probe module("nfs_layout_nfsv41_files").function("nfs4_fl_prepare_ds").return { $return=NULL; exit(); }'
      Suggested-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarScott Mayhew <smayhew@redhat.com>
      Fixes: 1ca018d2 ("pNFS: Fix a memory leak when attempted pnfs fails")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@primarydata.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7406be05
    • Bradley Bolen's avatar
      ubi: block: Fix locking for idr_alloc/idr_remove · 022af489
      Bradley Bolen authored
      commit 7f29ae9f upstream.
      
      This fixes a race with idr_alloc where gd->first_minor can be set to the
      same value for two simultaneous calls to ubiblock_create.  Each instance
      calls device_add_disk with the same first_minor.  device_add_disk calls
      bdi_register_owner which generates several warnings.
      
      WARNING: CPU: 1 PID: 179 at kernel-source/fs/sysfs/dir.c:31
      sysfs_warn_dup+0x68/0x88
      sysfs: cannot create duplicate filename '/devices/virtual/bdi/252:2'
      
      WARNING: CPU: 1 PID: 179 at kernel-source/lib/kobject.c:240
      kobject_add_internal+0x1ec/0x2f8
      kobject_add_internal failed for 252:2 with -EEXIST, don't try to
      register things with the same name in the same directory
      
      WARNING: CPU: 1 PID: 179 at kernel-source/fs/sysfs/dir.c:31
      sysfs_warn_dup+0x68/0x88
      sysfs: cannot create duplicate filename '/dev/block/252:2'
      
      However, device_add_disk does not error out when bdi_register_owner
      returns an error.  Control continues until reaching blk_register_queue.
      It then BUGs.
      
      kernel BUG at kernel-source/fs/sysfs/group.c:113!
      [<c01e26cc>] (internal_create_group) from [<c01e2950>]
      (sysfs_create_group+0x20/0x24)
      [<c01e2950>] (sysfs_create_group) from [<c00e3d38>]
      (blk_trace_init_sysfs+0x18/0x20)
      [<c00e3d38>] (blk_trace_init_sysfs) from [<c02bdfbc>]
      (blk_register_queue+0xd8/0x154)
      [<c02bdfbc>] (blk_register_queue) from [<c02cec84>]
      (device_add_disk+0x194/0x44c)
      [<c02cec84>] (device_add_disk) from [<c0436ec8>]
      (ubiblock_create+0x284/0x2e0)
      [<c0436ec8>] (ubiblock_create) from [<c0427bb8>]
      (vol_cdev_ioctl+0x450/0x554)
      [<c0427bb8>] (vol_cdev_ioctl) from [<c0189110>] (vfs_ioctl+0x30/0x44)
      [<c0189110>] (vfs_ioctl) from [<c01892e0>] (do_vfs_ioctl+0xa0/0x790)
      [<c01892e0>] (do_vfs_ioctl) from [<c0189a14>] (SyS_ioctl+0x44/0x68)
      [<c0189a14>] (SyS_ioctl) from [<c0010640>] (ret_fast_syscall+0x0/0x34)
      
      Locking idr_alloc/idr_remove removes the race and keeps gd->first_minor
      unique.
      
      Fixes: 2bf50d42 ("UBI: block: Dynamically allocate minor numbers")
      Signed-off-by: default avatarBradley Bolen <bradleybolen@gmail.com>
      Reviewed-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      022af489
    • Miquel Raynal's avatar
      mtd: nand: sunxi: Fix ECC strength choice · 8f645656
      Miquel Raynal authored
      commit f4c6cd1a upstream.
      
      When the requested ECC strength does not exactly match the strengths
      supported by the ECC engine, the driver is selecting the closest
      strength meeting the 'selected_strength > requested_strength'
      constraint. Fix the fact that, in this particular case, ecc->strength
      value was not updated to match the 'selected_strength'.
      
      For instance, one can encounter this issue when no ECC requirement is
      filled in the device tree while the NAND chip minimum requirement is not
      a strength/step_size combo natively supported by the ECC engine.
      
      Fixes: 1fef62c1 ("mtd: nand: add sunxi NAND flash controller support")
      Suggested-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@free-electrons.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f645656
    • Miquel Raynal's avatar
      mtd: nand: Fix nand_do_read_oob() return value · 105f7cd0
      Miquel Raynal authored
      commit 87e89ce8 upstream.
      
      Starting from commit 041e4575 ("mtd: nand: handle ECC errors in
      OOB"), nand_do_read_oob() (from the NAND core) did return 0 or a
      negative error, and the MTD layer expected it.
      
      However, the trend for the NAND layer is now to return an error or a
      positive number of bitflips. Deciding which status to return to the user
      belongs to the MTD layer.
      
      Commit e47f6858 ("mtd: check for max_bitflips in mtd_read_oob()")
      brought this logic to the mtd_read_oob() function while the return value
      coming from nand_do_read_oob() (called by the ->_read_oob() hook) was
      left unchanged.
      
      Fixes: e47f6858 ("mtd: check for max_bitflips in mtd_read_oob()")
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@free-electrons.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      105f7cd0
    • Kamal Dasu's avatar
      mtd: nand: brcmnand: Disable prefetch by default · eda72c83
      Kamal Dasu authored
      commit f953f0f8 upstream.
      
      Brcm nand controller prefetch feature needs to be disabled
      by default. Enabling affects performance on random reads as
      well as dma reads.
      Signed-off-by: default avatarKamal Dasu <kdasu.kdev@gmail.com>
      Fixes: 27c5b17c ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller")
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eda72c83
    • Arnd Bergmann's avatar
      mtd: cfi: convert inline functions to macros · b4b3ad0c
      Arnd Bergmann authored
      commit 9e343e87 upstream.
      
      The map_word_() functions, dating back to linux-2.6.8, try to perform
      bitwise operations on a 'map_word' structure. This may have worked
      with compilers that were current then (gcc-3.4 or earlier), but end
      up being rather inefficient on any version I could try now (gcc-4.4 or
      higher). Specifically we hit a problem analyzed in gcc PR81715 where we
      fail to reuse the stack space for local variables.
      
      This can be seen immediately in the stack consumption for
      cfi_staa_erase_varsize() and other functions that (with CONFIG_KASAN)
      can be up to 2200 bytes. Changing the inline functions into macros brings
      this down to 1280 bytes.  Without KASAN, the same problem exists, but
      the stack consumption is lower to start with, my patch shrinks it from
      920 to 496 bytes on with arm-linux-gnueabi-gcc-5.4, and saves around
      1KB in .text size for cfi_cmdset_0020.c, as it avoids copying map_word
      structures for each call to one of these helpers.
      
      With the latest gcc-8 snapshot, the problem is fixed in upstream gcc,
      but nobody uses that yet, so we should still work around it in mainline
      kernels and probably backport the workaround to stable kernels as well.
      We had a couple of other functions that suffered from the same gcc bug,
      and all of those had a simpler workaround involving dummy variables
      in the inline function. Unfortunately that did not work here, the
      macro hack was the best I could come up with.
      
      It would also be helpful to have someone to a little performance testing
      on the patch, to see how much it helps in terms of CPU utilitzation.
      
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=81715Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Acked-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@free-electrons.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4b3ad0c
    • Malcolm Priestley's avatar
      media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner · f6ea3133
      Malcolm Priestley authored
      commit 7bf7a711 upstream.
      
      When the tuner was split from m88rs2000 the attach function is in wrong
      place.
      
      Move to dm04_lme2510_tuner to trap errors on failure and removing
      a call to lme_coldreset.
      
      Prevents driver starting up without any tuner connected.
      
      Fixes to trap for ts2020 fail.
      LME2510(C): FE Found M88RS2000
      ts2020: probe of 0-0060 failed with error -11
      ...
      LME2510(C): TUN Found RS2000 tuner
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f6ea3133
    • Malcolm Priestley's avatar
      media: dvb-usb-v2: lmedm04: Improve logic checking of warm start · ca48c81c
      Malcolm Priestley authored
      commit 3d932ee2 upstream.
      
      Warm start has no check as whether a genuine device has
      connected and proceeds to next execution path.
      
      Check device should read 0x47 at offset of 2 on USB descriptor read
      and it is the amount requested of 6 bytes.
      
      Fix for
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access as
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarMalcolm Priestley <tvboxspy@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca48c81c
    • Mohamed Ghannam's avatar
      dccp: CVE-2017-8824: use-after-free in DCCP code · 3196c151
      Mohamed Ghannam authored
      commit 69c64866 upstream.
      
      Whenever the sock object is in DCCP_CLOSED state,
      dccp_disconnect() must free dccps_hc_tx_ccid and
      dccps_hc_rx_ccid and set to NULL.
      Signed-off-by: default avatarMohamed Ghannam <simo.ghannam@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3196c151
    • Steven Rostedt (VMware)'s avatar
      sched/rt: Up the root domain ref count when passing it around via IPIs · 911357ae
      Steven Rostedt (VMware) authored
      commit 364f5665 upstream.
      
      When issuing an IPI RT push, where an IPI is sent to each CPU that has more
      than one RT task scheduled on it, it references the root domain's rto_mask,
      that contains all the CPUs within the root domain that has more than one RT
      task in the runable state. The problem is, after the IPIs are initiated, the
      rq->lock is released. This means that the root domain that is associated to
      the run queue could be freed while the IPIs are going around.
      
      Add a sched_get_rd() and a sched_put_rd() that will increment and decrement
      the root domain's ref count respectively. This way when initiating the IPIs,
      the scheduler will up the root domain's ref count before releasing the
      rq->lock, ensuring that the root domain does not go away until the IPI round
      is complete.
      Reported-by: default avatarPavan Kondeti <pkondeti@codeaurora.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 4bdced5c ("sched/rt: Simplify the IPI based RT balancing logic")
      Link: http://lkml.kernel.org/r/CAEU1=PkiHO35Dzna8EQqNSKW1fr1y1zRQ5y66X117MG06sQtNA@mail.gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      911357ae
    • Steven Rostedt (VMware)'s avatar
      sched/rt: Use container_of() to get root domain in rto_push_irq_work_func() · af9de1a1
      Steven Rostedt (VMware) authored
      commit ad0f1d9d upstream.
      
      When the rto_push_irq_work_func() is called, it looks at the RT overloaded
      bitmask in the root domain via the runqueue (rq->rd). The problem is that
      during CPU up and down, nothing here stops rq->rd from changing between
      taking the rq->rd->rto_lock and releasing it. That means the lock that is
      released is not the same lock that was taken.
      
      Instead of using this_rq()->rd to get the root domain, as the irq work is
      part of the root domain, we can simply get the root domain from the irq work
      that is passed to the routine:
      
       container_of(work, struct root_domain, rto_push_work)
      
      This keeps the root domain consistent.
      Reported-by: default avatarPavan Kondeti <pkondeti@codeaurora.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mike Galbraith <efault@gmx.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Fixes: 4bdced5c ("sched/rt: Simplify the IPI based RT balancing logic")
      Link: http://lkml.kernel.org/r/CAEU1=PkiHO35Dzna8EQqNSKW1fr1y1zRQ5y66X117MG06sQtNA@mail.gmail.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af9de1a1
    • Petr Cvek's avatar
      usb: gadget: uvc: Missing files for configfs interface · 1bfe362d
      Petr Cvek authored
      commit c8cd7510 upstream.
      
      Commit 76e0da34 ("usb-gadget/uvc: use per-attribute show and store
      methods") caused a stringification of an undefined macro argument "aname",
      so three UVC parameters (streaming_interval, streaming_maxpacket and
      streaming_maxburst) were named "aname".
      
      Add the definition of "aname" to the main macro and name the filenames as
      originaly intended.
      Signed-off-by: default avatarPetr Cvek <petr.cvek@tul.cz>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1bfe362d
    • Thomas Gleixner's avatar
      posix-timer: Properly check sigevent->sigev_notify · 77f56f5d
      Thomas Gleixner authored
      commit cef31d9a upstream.
      
      timer_create() specifies via sigevent->sigev_notify the signal delivery for
      the new timer. The valid modes are SIGEV_NONE, SIGEV_SIGNAL, SIGEV_THREAD
      and (SIGEV_SIGNAL | SIGEV_THREAD_ID).
      
      The sanity check in good_sigevent() is only checking the valid combination
      for the SIGEV_THREAD_ID bit, i.e. SIGEV_SIGNAL, but if SIGEV_THREAD_ID is
      not set it accepts any random value.
      
      This has no real effects on the posix timer and signal delivery code, but
      it affects show_timer() which handles the output of /proc/$PID/timers. That
      function uses a string array to pretty print sigev_notify. The access to
      that array has no bound checks, so random sigev_notify cause access beyond
      the array bounds.
      
      Add proper checks for the valid notify modes and remove the SIGEV_THREAD_ID
      masking from various code pathes as SIGEV_NONE can never be set in
      combination with SIGEV_THREAD_ID.
      Reported-by: default avatarEric Biggers <ebiggers3@gmail.com>
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Reported-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: John Stultz <john.stultz@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77f56f5d
    • Eric W. Biederman's avatar
      netfilter: nf_queue: Make the queue_handler pernet · cb92c8fb
      Eric W. Biederman authored
      commit dc3ee32e upstream.
      
      Florian Weber reported:
      > Under full load (unshare() in loop -> OOM conditions) we can
      > get kernel panic:
      >
      > BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      > IP: [<ffffffff81476c85>] nfqnl_nf_hook_drop+0x35/0x70
      > [..]
      > task: ffff88012dfa3840 ti: ffff88012dffc000 task.ti: ffff88012dffc000
      > RIP: 0010:[<ffffffff81476c85>]  [<ffffffff81476c85>] nfqnl_nf_hook_drop+0x35/0x70
      > RSP: 0000:ffff88012dfffd80  EFLAGS: 00010206
      > RAX: 0000000000000008 RBX: ffffffff81add0c0 RCX: ffff88013fd80000
      > [..]
      > Call Trace:
      >  [<ffffffff81474d98>] nf_queue_nf_hook_drop+0x18/0x20
      >  [<ffffffff814738eb>] nf_unregister_net_hook+0xdb/0x150
      >  [<ffffffff8147398f>] netfilter_net_exit+0x2f/0x60
      >  [<ffffffff8141b088>] ops_exit_list.isra.4+0x38/0x60
      >  [<ffffffff8141b652>] setup_net+0xc2/0x120
      >  [<ffffffff8141bd09>] copy_net_ns+0x79/0x120
      >  [<ffffffff8106965b>] create_new_namespaces+0x11b/0x1e0
      >  [<ffffffff810698a7>] unshare_nsproxy_namespaces+0x57/0xa0
      >  [<ffffffff8104baa2>] SyS_unshare+0x1b2/0x340
      >  [<ffffffff81608276>] entry_SYSCALL_64_fastpath+0x1e/0xa8
      > Code: 65 00 48 89 e5 41 56 41 55 41 54 53 83 e8 01 48 8b 97 70 12 00 00 48 98 49 89 f4 4c 8b 74 c2 18 4d 8d 6e 08 49 81 c6 88 00 00 00 <49> 8b 5d 00 48 85 db 74 1a 48 89 df 4c 89 e2 48 c7 c6 90 68 47
      >
      
      The simple fix for this requires a new pernet variable for struct
      nf_queue that indicates when it is safe to use the dynamically
      allocated nf_queue state.
      
      As we need a variable anyway make nf_register_queue_handler and
      nf_unregister_queue_handler pernet.  This allows the existing logic of
      when it is safe to use the state from the nfnetlink_queue module to be
      reused with no changes except for making it per net.
      
      The syncrhonize_rcu from nf_unregister_queue_handler is moved to a new
      function nfnl_queue_net_exit_batch so that the worst case of having a
      syncrhonize_rcu in the pernet exit path is not experienced in batch
      mode.
      Reported-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Cc: Eric Biggers <ebiggers3@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb92c8fb
    • Hugh Dickins's avatar
      kaiser: fix compile error without vsyscall · 4f3e6ab4
      Hugh Dickins authored
      Tobias noticed a compile error on 4.4.115, and it's the same on 4.9.80:
      arch/x86/mm/kaiser.c: In function ‘kaiser_init’:
      arch/x86/mm/kaiser.c:348:8: error: ‘vsyscall_pgprot’ undeclared
                                         (first use in this function)
      
      It seems like his combination of kernel options doesn't work for KAISER.
      X86_VSYSCALL_EMULATION is not set on his system, while LEGACY_VSYSCALL
      is set to NONE (LEGACY_VSYSCALL_NONE=y). He managed to get things
      compiling again, by moving the 'extern unsigned long vsyscall_pgprot'
      outside of the preprocessor statement. This works because the optimizer
      removes that code (vsyscall_enabled() is always false) - and that's how
      it was done in some older backports.
      Reported-by: default avatarTobias Jakobi <tjakobi@math.uni-bielefeld.de>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f3e6ab4
    • Eric Biggers's avatar
      x86/kaiser: fix build error with KASAN && !FUNCTION_GRAPH_TRACER · 9b6cab80
      Eric Biggers authored
      This is a build fix for the 4.4 PTI backport.  4.4 kernels do not have
      commit be7635e7 ("arch, ftrace: for KASAN put hard/soft IRQ entries
      into separate sections") which went into 4.6.  Consequently, the
      irqentry sections are only created when CONFIG_FUNCTION_GRAPH_TRACER is
      enabled, not also when CONFIG_KASAN is enabled.  Therefore, fix the
      condition for trying to add a user mapping for this section.
      
      This fixes the following build error:
      
          arch/x86/mm/kaiser.c: In function ‘kaiser_init’:
          arch/x86/mm/kaiser.c:367:33: error: ‘__irqentry_text_start’ undeclared (first use in this function)
            kaiser_add_user_map_ptrs_early(__irqentry_text_start,
          [...]
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b6cab80
    • Yang Shunyong's avatar
      dmaengine: dmatest: fix container_of member in dmatest_callback · 002530fd
      Yang Shunyong authored
      commit 66b3bd23 upstream.
      
      The type of arg passed to dmatest_callback is struct dmatest_done.
      It refers to test_done in struct dmatest_thread, not done_wait.
      
      Fixes: 6f6a23a2 ("dmaengine: dmatest: move callback wait ...")
      Signed-off-by: default avatarYang Shunyong <shunyong.yang@hxt-semitech.com>
      Acked-by: default avatarAdam Wallis <awallis@codeaurora.org>
      Signed-off-by: default avatarVinod Koul <vinod.koul@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      002530fd
    • Aurelien Aptel's avatar
      CIFS: zero sensitive data when freeing · f260cb77
      Aurelien Aptel authored
      commit 97f4b727 upstream.
      
      also replaces memset()+kfree() by kzfree().
      Signed-off-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f260cb77
    • Daniel N Pettersson's avatar
      cifs: Fix autonegotiate security settings mismatch · aa8c1051
      Daniel N Pettersson authored
      commit 9aca7e45 upstream.
      
      Autonegotiation gives a security settings mismatch error if the SMB
      server selects an SMBv3 dialect that isn't SMB3.02. The exact error is
      "protocol revalidation - security settings mismatch".
      This can be tested using Samba v4.2 or by setting the global Samba
      setting max protocol = SMB3_00.
      
      The check that fails in smb3_validate_negotiate is the dialect
      verification of the negotiate info response. This is because it tries
      to verify against the protocol_id in the global smbdefault_values. The
      protocol_id in smbdefault_values is SMB3.02.
      In SMB2_negotiate the protocol_id in smbdefault_values isn't updated,
      it is global so it probably shouldn't be, but server->dialect is.
      
      This patch changes the check in smb3_validate_negotiate to use
      server->dialect instead of server->vals->protocol_id. The patch works
      with autonegotiate and when using a specific version in the vers mount
      option.
      Signed-off-by: default avatarDaniel N Pettersson <danielnp@axis.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa8c1051
    • Matthew Wilcox's avatar
      cifs: Fix missing put_xid in cifs_file_strict_mmap · e343f5fd
      Matthew Wilcox authored
      commit f04a703c upstream.
      
      If cifs_zap_mapping() returned an error, we would return without putting
      the xid that we got earlier.  Restructure cifs_file_strict_mmap() and
      cifs_file_mmap() to be more similar to each other and have a single
      point of return that always puts the xid.
      Signed-off-by: default avatarMatthew Wilcox <mawilcox@microsoft.com>
      Signed-off-by: default avatarSteve French <smfrench@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e343f5fd
    • Michal Suchanek's avatar
      powerpc/pseries: include linux/types.h in asm/hvcall.h · 5c2ea7f7
      Michal Suchanek authored
      commit 1b689a95 upstream.
      
      Commit 6e032b35 ("powerpc/powernv: Check device-tree for RFI flush
      settings") uses u64 in asm/hvcall.h without including linux/types.h
      
      This breaks hvcall.h users that do not include the header themselves.
      
      Fixes: 6e032b35 ("powerpc/powernv: Check device-tree for RFI flush settings")
      Signed-off-by: default avatarMichal Suchanek <msuchanek@suse.de>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c2ea7f7
    • Borislav Petkov's avatar
      x86/microcode: Do the family check first · ba929f5f
      Borislav Petkov authored
      commit 1f161f67 upstream with adjustments.
      
      On CPUs like AMD's Geode, for example, we shouldn't even try to load
      microcode because they do not support the modern microcode loading
      interface.
      
      However, we do the family check *after* the other checks whether the
      loader has been disabled on the command line or whether we're running in
      a guest.
      
      So move the family checks first in order to exit early if we're being
      loaded on an unsupported family.
      Reported-and-tested-by: default avatarSven Glodowski <glodi1@arcor.de>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: <stable@vger.kernel.org> # 4.11..
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Link: http://bugzilla.suse.com/show_bug.cgi?id=1061396
      Link: http://lkml.kernel.org/r/20171012112316.977-1-bp@alien8.deSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarRolf Neugebauer <rolf.neugebauer@docker.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba929f5f
    • Borislav Petkov's avatar
      x86/microcode/AMD: Do not load when running on a hypervisor · 3fe9cdee
      Borislav Petkov authored
      commit a15a7535 upstream with minor
      adjustments.
      
      Doing so is completely void of sense for multiple reasons so prevent
      it. Set dis_ucode_ldr to true and thus disable the microcode loader by
      default to address xen pv guests which execute the AP path but not the
      BSP path.
      
      By having it turned off by default, the APs won't run into the loader
      either.
      
      Also, check CPUID(1).ECX[31] which hypervisors set. Well almost, not the
      xen pv one. That one gets the aforementioned "fix".
      
      Also, improve the detection method by caching the final decision whether
      to continue loading in dis_ucode_ldr and do it once on the BSP. The APs
      then simply test that value.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Tested-by: default avatarJuergen Gross <jgross@suse.com>
      Tested-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Acked-by: default avatarJuergen Gross <jgross@suse.com>
      Link: http://lkml.kernel.org/r/20161218164414.9649-4-bp@alien8.deSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarRolf Neugebauer <rolf.neugebauer@docker.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fe9cdee
    • Robert Baronescu's avatar
      crypto: tcrypt - fix S/G table for test_aead_speed() · 9ece237e
      Robert Baronescu authored
      commit 5c6ac1d4 upstream.
      
      In case buffer length is a multiple of PAGE_SIZE,
      the S/G table is incorrectly generated.
      Fix this by handling buflen = k * PAGE_SIZE separately.
      Signed-off-by: default avatarRobert Baronescu <robert.baronescu@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ece237e
    • Al Viro's avatar
      don't put symlink bodies in pagecache into highmem · 076e4ab3
      Al Viro authored
      commit 21fc61c7 upstream.
      
      kmap() in page_follow_link_light() needed to go - allowing to hold
      an arbitrary number of kmaps for long is a great way to deadlocking
      the system.
      
      new helper (inode_nohighmem(inode)) needs to be used for pagecache
      symlinks inodes; done for all in-tree cases.  page_follow_link_light()
      instrumented to yell about anything missed.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarJin Qian <jinqian@google.com>
      Signed-off-by: default avatarJin Qian <jinqian@android.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      076e4ab3
    • Eric Biggers's avatar
      KEYS: encrypted: fix buffer overread in valid_master_desc() · 33813d43
      Eric Biggers authored
      commit 794b4bc2 upstream.
      
      With the 'encrypted' key type it was possible for userspace to provide a
      data blob ending with a master key description shorter than expected,
      e.g. 'keyctl add encrypted desc "new x" @s'.  When validating such a
      master key description, validate_master_desc() could read beyond the end
      of the buffer.  Fix this by using strncmp() instead of memcmp().  [Also
      clean up the code to deduplicate some logic.]
      
      Cc: Mimi Zohar <zohar@linux.vnet.ibm.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
      Signed-off-by: default avatarJin Qian <jinqian@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      33813d43
    • Jesse Chan's avatar
      media: soc_camera: soc_scale_crop: add missing MODULE_DESCRIPTION/AUTHOR/LICENSE · 4f8a4e99
      Jesse Chan authored
      commit 5331aec1 upstream.
      
      This change resolves a new compile-time warning
      when built as a loadable module:
      
      WARNING: modpost: missing MODULE_LICENSE() in drivers/media/platform/soc_camera/soc_scale_crop.o
      see include/linux/module.h for more information
      
      This adds the license as "GPL", which matches the header of the file.
      
      MODULE_DESCRIPTION and MODULE_AUTHOR are also added.
      Signed-off-by: default avatarJesse Chan <jc@linux.com>
      Signed-off-by: default avatarHans Verkuil <hans.verkuil@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@s-opensource.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f8a4e99
    • Jason Wang's avatar
      vhost_net: stop device during reset owner · 711df717
      Jason Wang authored
      
      [ Upstream commit 4cd87951 ]
      
      We don't stop device before reset owner, this means we could try to
      serve any virtqueue kick before reset dev->worker. This will result a
      warn since the work was pending at llist during owner resetting. Fix
      this by stopping device during owner reset.
      
      Reported-by: syzbot+eb17c6162478cc50632c@syzkaller.appspotmail.com
      Fixes: 3a4d5c94 ("vhost_net: a kernel-level virtio server")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      711df717
    • Li RongQing's avatar
      tcp: release sk_frag.page in tcp_disconnect · 117991ed
      Li RongQing authored
      
      [ Upstream commit 9b42d55a ]
      
      socket can be disconnected and gets transformed back to a listening
      socket, if sk_frag.page is not released, which will be cloned into
      a new socket by sk_clone_lock, but the reference count of this page
      is increased, lead to a use after free or double free issue
      Signed-off-by: default avatarLi RongQing <lirongqing@baidu.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      117991ed
    • Chunhao Lin's avatar
      r8169: fix RTL8168EP take too long to complete driver initialization. · 9a0ef3cc
      Chunhao Lin authored
      
      [ Upstream commit 086ca23d ]
      
      Driver check the wrong register bit in rtl_ocp_tx_cond() that keep driver
      waiting until timeout.
      
      Fix this by waiting for the right register bit.
      Signed-off-by: default avatarChunhao Lin <hau@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a0ef3cc
    • Junxiao Bi's avatar
      qlcnic: fix deadlock bug · 3cdf2975
      Junxiao Bi authored
      
      [ Upstream commit 233ac389 ]
      
      The following soft lockup was caught. This is a deadlock caused by
      recusive locking.
      
      Process kworker/u40:1:28016 was holding spin lock "mbx->queue_lock" in
      qlcnic_83xx_mailbox_worker(), while a softirq came in and ask the same spin
      lock in qlcnic_83xx_enqueue_mbx_cmd(). This lock should be hold by disable
      bh..
      
      [161846.962125] NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [kworker/u40:1:28016]
      [161846.962367] Modules linked in: tun ocfs2 xen_netback xen_blkback xen_gntalloc xen_gntdev xen_evtchn xenfs xen_privcmd autofs4 ocfs2_dlmfs ocfs2_stack_o2cb ocfs2_dlm ocfs2_nodemanager ocfs2_stackglue configfs bnx2fc fcoe libfcoe libfc sunrpc 8021q mrp garp bridge stp llc bonding dm_round_robin dm_multipath iTCO_wdt iTCO_vendor_support pcspkr sb_edac edac_core i2c_i801 shpchp lpc_ich mfd_core ioatdma ipmi_devintf ipmi_si ipmi_msghandler sg ext4 jbd2 mbcache2 sr_mod cdrom sd_mod igb i2c_algo_bit i2c_core ahci libahci megaraid_sas ixgbe dca ptp pps_core vxlan udp_tunnel ip6_udp_tunnel qla2xxx scsi_transport_fc qlcnic crc32c_intel be2iscsi bnx2i cnic uio cxgb4i cxgb4 cxgb3i libcxgbi ipv6 cxgb3 mdio libiscsi_tcp qla4xxx iscsi_boot_sysfs libiscsi scsi_transport_iscsi dm_mirror dm_region_hash dm_log dm_mod
      [161846.962454]
      [161846.962460] CPU: 1 PID: 28016 Comm: kworker/u40:1 Not tainted 4.1.12-94.5.9.el6uek.x86_64 #2
      [161846.962463] Hardware name: Oracle Corporation SUN SERVER X4-2L      /ASSY,MB,X4-2L         , BIOS 26050100 09/19/2017
      [161846.962489] Workqueue: qlcnic_mailbox qlcnic_83xx_mailbox_worker [qlcnic]
      [161846.962493] task: ffff8801f2e34600 ti: ffff88004ca5c000 task.ti: ffff88004ca5c000
      [161846.962496] RIP: e030:[<ffffffff810013aa>]  [<ffffffff810013aa>] xen_hypercall_sched_op+0xa/0x20
      [161846.962506] RSP: e02b:ffff880202e43388  EFLAGS: 00000206
      [161846.962509] RAX: 0000000000000000 RBX: ffff8801f6996b70 RCX: ffffffff810013aa
      [161846.962511] RDX: ffff880202e433cc RSI: ffff880202e433b0 RDI: 0000000000000003
      [161846.962513] RBP: ffff880202e433d0 R08: 0000000000000000 R09: ffff8801fe893200
      [161846.962516] R10: ffff8801fe400538 R11: 0000000000000206 R12: ffff880202e4b000
      [161846.962518] R13: 0000000000000050 R14: 0000000000000001 R15: 000000000000020d
      [161846.962528] FS:  0000000000000000(0000) GS:ffff880202e40000(0000) knlGS:ffff880202e40000
      [161846.962531] CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
      [161846.962533] CR2: 0000000002612640 CR3: 00000001bb796000 CR4: 0000000000042660
      [161846.962536] Stack:
      [161846.962538]  ffff880202e43608 0000000000000000 ffffffff813f0442 ffff880202e433b0
      [161846.962543]  0000000000000000 ffff880202e433cc ffffffff00000001 0000000000000000
      [161846.962547]  00000009813f03d6 ffff880202e433e0 ffffffff813f0460 ffff880202e43440
      [161846.962552] Call Trace:
      [161846.962555]  <IRQ>
      [161846.962565]  [<ffffffff813f0442>] ? xen_poll_irq_timeout+0x42/0x50
      [161846.962570]  [<ffffffff813f0460>] xen_poll_irq+0x10/0x20
      [161846.962578]  [<ffffffff81014222>] xen_lock_spinning+0xe2/0x110
      [161846.962583]  [<ffffffff81013f01>] __raw_callee_save_xen_lock_spinning+0x11/0x20
      [161846.962592]  [<ffffffff816e5c57>] ? _raw_spin_lock+0x57/0x80
      [161846.962609]  [<ffffffffa028acfc>] qlcnic_83xx_enqueue_mbx_cmd+0x7c/0xe0 [qlcnic]
      [161846.962623]  [<ffffffffa028e008>] qlcnic_83xx_issue_cmd+0x58/0x210 [qlcnic]
      [161846.962636]  [<ffffffffa028caf2>] qlcnic_83xx_sre_macaddr_change+0x162/0x1d0 [qlcnic]
      [161846.962649]  [<ffffffffa028cb8b>] qlcnic_83xx_change_l2_filter+0x2b/0x30 [qlcnic]
      [161846.962657]  [<ffffffff8160248b>] ? __skb_flow_dissect+0x18b/0x650
      [161846.962670]  [<ffffffffa02856e5>] qlcnic_send_filter+0x205/0x250 [qlcnic]
      [161846.962682]  [<ffffffffa0285c77>] qlcnic_xmit_frame+0x547/0x7b0 [qlcnic]
      [161846.962691]  [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
      [161846.962696]  [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
      [161846.962701]  [<ffffffff81630112>] sch_direct_xmit+0x112/0x220
      [161846.962706]  [<ffffffff8160b80f>] __dev_queue_xmit+0x1df/0x5e0
      [161846.962710]  [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
      [161846.962721]  [<ffffffffa0575bd5>] bond_dev_queue_xmit+0x35/0x80 [bonding]
      [161846.962729]  [<ffffffffa05769fb>] __bond_start_xmit+0x1cb/0x210 [bonding]
      [161846.962736]  [<ffffffffa0576a71>] bond_start_xmit+0x31/0x60 [bonding]
      [161846.962740]  [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
      [161846.962745]  [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
      [161846.962749]  [<ffffffff8160bb1e>] __dev_queue_xmit+0x4ee/0x5e0
      [161846.962754]  [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
      [161846.962760]  [<ffffffffa05cfa72>] vlan_dev_hard_start_xmit+0xb2/0x150 [8021q]
      [161846.962764]  [<ffffffff8160ac22>] xmit_one+0x82/0x1a0
      [161846.962769]  [<ffffffff8160ad90>] dev_hard_start_xmit+0x50/0xa0
      [161846.962773]  [<ffffffff8160bb1e>] __dev_queue_xmit+0x4ee/0x5e0
      [161846.962777]  [<ffffffff8160bc33>] dev_queue_xmit_sk+0x13/0x20
      [161846.962789]  [<ffffffffa05adf74>] br_dev_queue_push_xmit+0x54/0xa0 [bridge]
      [161846.962797]  [<ffffffffa05ae4ff>] br_forward_finish+0x2f/0x90 [bridge]
      [161846.962807]  [<ffffffff810b0dad>] ? ttwu_do_wakeup+0x1d/0x100
      [161846.962811]  [<ffffffff815f929b>] ? __alloc_skb+0x8b/0x1f0
      [161846.962818]  [<ffffffffa05ae04d>] __br_forward+0x8d/0x120 [bridge]
      [161846.962822]  [<ffffffff815f613b>] ? __kmalloc_reserve+0x3b/0xa0
      [161846.962829]  [<ffffffff810be55e>] ? update_rq_runnable_avg+0xee/0x230
      [161846.962836]  [<ffffffffa05ae176>] br_forward+0x96/0xb0 [bridge]
      [161846.962845]  [<ffffffffa05af85e>] br_handle_frame_finish+0x1ae/0x420 [bridge]
      [161846.962853]  [<ffffffffa05afc4f>] br_handle_frame+0x17f/0x260 [bridge]
      [161846.962862]  [<ffffffffa05afad0>] ? br_handle_frame_finish+0x420/0x420 [bridge]
      [161846.962867]  [<ffffffff8160d057>] __netif_receive_skb_core+0x1f7/0x870
      [161846.962872]  [<ffffffff8160d6f2>] __netif_receive_skb+0x22/0x70
      [161846.962877]  [<ffffffff8160d913>] netif_receive_skb_internal+0x23/0x90
      [161846.962884]  [<ffffffffa07512ea>] ? xenvif_idx_release+0xea/0x100 [xen_netback]
      [161846.962889]  [<ffffffff816e5a10>] ? _raw_spin_unlock_irqrestore+0x20/0x50
      [161846.962893]  [<ffffffff8160e624>] netif_receive_skb_sk+0x24/0x90
      [161846.962899]  [<ffffffffa075269a>] xenvif_tx_submit+0x2ca/0x3f0 [xen_netback]
      [161846.962906]  [<ffffffffa0753f0c>] xenvif_tx_action+0x9c/0xd0 [xen_netback]
      [161846.962915]  [<ffffffffa07567f5>] xenvif_poll+0x35/0x70 [xen_netback]
      [161846.962920]  [<ffffffff8160e01b>] napi_poll+0xcb/0x1e0
      [161846.962925]  [<ffffffff8160e1c0>] net_rx_action+0x90/0x1c0
      [161846.962931]  [<ffffffff8108aaba>] __do_softirq+0x10a/0x350
      [161846.962938]  [<ffffffff8108ae75>] irq_exit+0x125/0x130
      [161846.962943]  [<ffffffff813f03a9>] xen_evtchn_do_upcall+0x39/0x50
      [161846.962950]  [<ffffffff816e7ffe>] xen_do_hypervisor_callback+0x1e/0x40
      [161846.962952]  <EOI>
      [161846.962959]  [<ffffffff816e5c4a>] ? _raw_spin_lock+0x4a/0x80
      [161846.962964]  [<ffffffff816e5b1e>] ? _raw_spin_lock_irqsave+0x1e/0xa0
      [161846.962978]  [<ffffffffa028e279>] ? qlcnic_83xx_mailbox_worker+0xb9/0x2a0 [qlcnic]
      [161846.962991]  [<ffffffff810a14e1>] ? process_one_work+0x151/0x4b0
      [161846.962995]  [<ffffffff8100c3f2>] ? check_events+0x12/0x20
      [161846.963001]  [<ffffffff810a1960>] ? worker_thread+0x120/0x480
      [161846.963005]  [<ffffffff816e187b>] ? __schedule+0x30b/0x890
      [161846.963010]  [<ffffffff810a1840>] ? process_one_work+0x4b0/0x4b0
      [161846.963015]  [<ffffffff810a1840>] ? process_one_work+0x4b0/0x4b0
      [161846.963021]  [<ffffffff810a6b3e>] ? kthread+0xce/0xf0
      [161846.963025]  [<ffffffff810a6a70>] ? kthread_freezable_should_stop+0x70/0x70
      [161846.963031]  [<ffffffff816e6522>] ? ret_from_fork+0x42/0x70
      [161846.963035]  [<ffffffff810a6a70>] ? kthread_freezable_should_stop+0x70/0x70
      [161846.963037] Code: cc 51 41 53 b8 1c 00 00 00 0f 05 41 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 51 41 53 b8 1d 00 00 00 0f 05 <41> 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
      Signed-off-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3cdf2975
    • Eric Dumazet's avatar
      net: igmp: add a missing rcu locking section · 47b32f06
      Eric Dumazet authored
      
      [ Upstream commit e7aadb27 ]
      
      Newly added igmpv3_get_srcaddr() needs to be called under rcu lock.
      
      Timer callbacks do not ensure this locking.
      
      =============================
      WARNING: suspicious RCU usage
      4.15.0+ #200 Not tainted
      -----------------------------
      ./include/linux/inetdevice.h:216 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      3 locks held by syzkaller616973/4074:
       #0:  (&mm->mmap_sem){++++}, at: [<00000000bfce669e>] __do_page_fault+0x32d/0xc90 arch/x86/mm/fault.c:1355
       #1:  ((&im->timer)){+.-.}, at: [<00000000619d2f71>] lockdep_copy_map include/linux/lockdep.h:178 [inline]
       #1:  ((&im->timer)){+.-.}, at: [<00000000619d2f71>] call_timer_fn+0x1c6/0x820 kernel/time/timer.c:1316
       #2:  (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] spin_lock_bh include/linux/spinlock.h:315 [inline]
       #2:  (&(&im->lock)->rlock){+.-.}, at: [<000000005f833c5c>] igmpv3_send_report+0x98/0x5b0 net/ipv4/igmp.c:600
      
      stack backtrace:
      CPU: 0 PID: 4074 Comm: syzkaller616973 Not tainted 4.15.0+ #200
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x194/0x257 lib/dump_stack.c:53
       lockdep_rcu_suspicious+0x123/0x170 kernel/locking/lockdep.c:4592
       __in_dev_get_rcu include/linux/inetdevice.h:216 [inline]
       igmpv3_get_srcaddr net/ipv4/igmp.c:329 [inline]
       igmpv3_newpack+0xeef/0x12e0 net/ipv4/igmp.c:389
       add_grhead.isra.27+0x235/0x300 net/ipv4/igmp.c:432
       add_grec+0xbd3/0x1170 net/ipv4/igmp.c:565
       igmpv3_send_report+0xd5/0x5b0 net/ipv4/igmp.c:605
       igmp_send_report+0xc43/0x1050 net/ipv4/igmp.c:722
       igmp_timer_expire+0x322/0x5c0 net/ipv4/igmp.c:831
       call_timer_fn+0x228/0x820 kernel/time/timer.c:1326
       expire_timers kernel/time/timer.c:1363 [inline]
       __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666
       run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692
       __do_softirq+0x2d7/0xb85 kernel/softirq.c:285
       invoke_softirq kernel/softirq.c:365 [inline]
       irq_exit+0x1cc/0x200 kernel/softirq.c:405
       exiting_irq arch/x86/include/asm/apic.h:541 [inline]
       smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052
       apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:938
      
      Fixes: a46182b0 ("net: igmp: Use correct source address on IGMPv3 reports")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47b32f06
    • Nikolay Aleksandrov's avatar
      ip6mr: fix stale iterator · fff4f776
      Nikolay Aleksandrov authored
      
      [ Upstream commit 4adfa79f ]
      
      When we dump the ip6mr mfc entries via proc, we initialize an iterator
      with the table to dump but we don't clear the cache pointer which might
      be initialized from a prior read on the same descriptor that ended. This
      can result in lock imbalance (an unnecessary unlock) leading to other
      crashes and hangs. Clear the cache pointer like ipmr does to fix the issue.
      Thanks for the reliable reproducer.
      
      Here's syzbot's trace:
       WARNING: bad unlock balance detected!
       4.15.0-rc3+ #128 Not tainted
       syzkaller971460/3195 is trying to release lock (mrt_lock) at:
       [<000000006898068d>] ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
       but there are no more locks to release!
      
       other info that might help us debug this:
       1 lock held by syzkaller971460/3195:
        #0:  (&p->lock){+.+.}, at: [<00000000744a6565>] seq_read+0xd5/0x13d0
       fs/seq_file.c:165
      
       stack backtrace:
       CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
       Google 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x194/0x257 lib/dump_stack.c:53
        print_unlock_imbalance_bug+0x12f/0x140 kernel/locking/lockdep.c:3561
        __lock_release kernel/locking/lockdep.c:3775 [inline]
        lock_release+0x5f9/0xda0 kernel/locking/lockdep.c:4023
        __raw_read_unlock include/linux/rwlock_api_smp.h:225 [inline]
        _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255
        ipmr_mfc_seq_stop+0xe1/0x130 net/ipv6/ip6mr.c:553
        traverse+0x3bc/0xa00 fs/seq_file.c:135
        seq_read+0x96a/0x13d0 fs/seq_file.c:189
        proc_reg_read+0xef/0x170 fs/proc/inode.c:217
        do_loop_readv_writev fs/read_write.c:673 [inline]
        do_iter_read+0x3db/0x5b0 fs/read_write.c:897
        compat_readv+0x1bf/0x270 fs/read_write.c:1140
        do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
        C_SYSC_preadv fs/read_write.c:1209 [inline]
        compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
        do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
        do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
        entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
       RIP: 0023:0xf7f73c79
       RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
       RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
       RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
       R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       BUG: sleeping function called from invalid context at lib/usercopy.c:25
       in_atomic(): 1, irqs_disabled(): 0, pid: 3195, name: syzkaller971460
       INFO: lockdep is turned off.
       CPU: 1 PID: 3195 Comm: syzkaller971460 Not tainted 4.15.0-rc3+ #128
       Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
       Google 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:17 [inline]
        dump_stack+0x194/0x257 lib/dump_stack.c:53
        ___might_sleep+0x2b2/0x470 kernel/sched/core.c:6060
        __might_sleep+0x95/0x190 kernel/sched/core.c:6013
        __might_fault+0xab/0x1d0 mm/memory.c:4525
        _copy_to_user+0x2c/0xc0 lib/usercopy.c:25
        copy_to_user include/linux/uaccess.h:155 [inline]
        seq_read+0xcb4/0x13d0 fs/seq_file.c:279
        proc_reg_read+0xef/0x170 fs/proc/inode.c:217
        do_loop_readv_writev fs/read_write.c:673 [inline]
        do_iter_read+0x3db/0x5b0 fs/read_write.c:897
        compat_readv+0x1bf/0x270 fs/read_write.c:1140
        do_compat_preadv64+0xdc/0x100 fs/read_write.c:1189
        C_SYSC_preadv fs/read_write.c:1209 [inline]
        compat_SyS_preadv+0x3b/0x50 fs/read_write.c:1203
        do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
        do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
        entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
       RIP: 0023:0xf7f73c79
       RSP: 002b:00000000e574a15c EFLAGS: 00000292 ORIG_RAX: 000000000000014d
       RAX: ffffffffffffffda RBX: 000000000000000f RCX: 0000000020a3afb0
       RDX: 0000000000000001 RSI: 0000000000000067 RDI: 0000000000000000
       RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
       R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
       R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
       WARNING: CPU: 1 PID: 3195 at lib/usercopy.c:26 _copy_to_user+0xb5/0xc0
       lib/usercopy.c:26
      Reported-by: default avatarsyzbot <bot+eceb3204562c41a438fa1f2335e0fe4f6886d669@syzkaller.appspotmail.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fff4f776