1. 18 Mar, 2018 22 commits
    • Takashi Iwai's avatar
      ALSA: seq: Don't allow resizing pool in use · 2b1d533f
      Takashi Iwai authored
      commit d8573936 upstream.
      
      This is a fix for a (sort of) fallout in the recent commit
      d15d662e ("ALSA: seq: Fix racy pool initializations") for
      CVE-2018-1000004.
      As the pool resize deletes the existing cells, it may lead to a race
      when another thread is writing concurrently, eventually resulting a
      UAF.
      
      A simple workaround is not to allow the pool resizing when the pool is
      in use.  It's an invalid behavior in anyway.
      
      Fixes: d15d662e ("ALSA: seq: Fix racy pool initializations")
      Reported-by: default avatar范龙飞 <long7573@126.com>
      Reported-by: default avatarNicolai Stange <nstange@suse.de>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b1d533f
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 · c90b35bc
      Takashi Iwai authored
      commit e312a869 upstream.
      
      The dock line-out pin (NID 0x17 of ALC3254 codec) on Dell Precision
      7520 may route to three different DACs, 0x02, 0x03 and 0x06.  The
      first two DACS have the volume amp controls while the last one
      doesn't.  And unfortunately, the auto-parser assigns this pin to DAC3,
      resulting in the non-working volume control for the line out.
      
      Fix it by disabling the routing to DAC3 on the corresponding pin.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199029
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c90b35bc
    • Seunghun Han's avatar
      x86/MCE: Serialize sysfs changes · e882c0ba
      Seunghun Han authored
      commit b3b7c479 upstream.
      
      The check_interval file in
      
        /sys/devices/system/machinecheck/machinecheck<cpu number>
      
      directory is a global timer value for MCE polling. If it is changed by one
      CPU, mce_restart() broadcasts the event to other CPUs to delete and restart
      the MCE polling timer and __mcheck_cpu_init_timer() reinitializes the
      mce_timer variable.
      
      If more than one CPU writes a specific value to the check_interval file
      concurrently, mce_timer is not protected from such concurrent accesses and
      all kinds of explosions happen. Since only root can write to those sysfs
      variables, the issue is not a big deal security-wise.
      
      However, concurrent writes to these configuration variables is void of
      reason so the proper thing to do is to serialize the access with a mutex.
      
      Boris:
      
       - Make store_int_with_restart() use device_store_ulong() to filter out
         negative intervals
       - Limit min interval to 1 second
       - Correct locking
       - Massage commit message
      Signed-off-by: default avatarSeunghun Han <kkamagui@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: stable@vger.kernel.org
      Link: http://lkml.kernel.org/r/20180302202706.9434-1-kkamagui@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e882c0ba
    • Michael Lyle's avatar
      bcache: don't attach backing with duplicate UUID · d6046c45
      Michael Lyle authored
      commit 86755b7a upstream.
      
      This can happen e.g. during disk cloning.
      
      This is an incomplete fix: it does not catch duplicate UUIDs earlier
      when things are still unattached.  It does not unregister the device.
      Further changes to cope better with this are planned but conflict with
      Coly's ongoing improvements to handling device errors.  In the meantime,
      one can manually stop the device after this has happened.
      
      Attempts to attach a duplicate device result in:
      
      [  136.372404] loop: module loaded
      [  136.424461] bcache: register_bdev() registered backing device loop0
      [  136.424464] bcache: bch_cached_dev_attach() Tried to attach loop0 but duplicate UUID already attached
      
      My test procedure is:
      
        dd if=/dev/sdb1 of=imgfile bs=1024 count=262144
        losetup -f imgfile
      Signed-off-by: default avatarMichael Lyle <mlyle@lyle.org>
      Reviewed-by: default avatarTang Junhui <tang.junhui@zte.com.cn>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6046c45
    • James Hogan's avatar
      kbuild: Handle builtin dtb file names containing hyphens · edcb6157
      James Hogan authored
      commit 55fe6da9 upstream.
      
      cmd_dt_S_dtb constructs the assembly source to incorporate a devicetree
      FDT (that is, the .dtb file) as binary data in the kernel image. This
      assembly source contains labels before and after the binary data. The
      label names incorporate the file name of the corresponding .dtb file.
      Hyphens are not legal characters in labels, so .dtb files built into the
      kernel with hyphens in the file name result in errors like the
      following:
      
      bcm3368-netgear-cvg834g.dtb.S: Assembler messages:
      bcm3368-netgear-cvg834g.dtb.S:5: Error: : no such section
      bcm3368-netgear-cvg834g.dtb.S:5: Error: junk at end of line, first unrecognized character is `-'
      bcm3368-netgear-cvg834g.dtb.S:6: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_begin:'
      bcm3368-netgear-cvg834g.dtb.S:8: Error: unrecognized opcode `__dtb_bcm3368-netgear-cvg834g_end:'
      bcm3368-netgear-cvg834g.dtb.S:9: Error: : no such section
      bcm3368-netgear-cvg834g.dtb.S:9: Error: junk at end of line, first unrecognized character is `-'
      
      Fix this by updating cmd_dt_S_dtb to transform all hyphens from the file
      name to underscores when constructing the labels.
      
      As of v4.16-rc2, 1139 .dts files across ARM64, ARM, MIPS and PowerPC
      contain hyphens in their names, but the issue only currently manifests
      on Broadcom MIPS platforms, as that is the only place where such files
      are built into the kernel. For example when CONFIG_DT_NETGEAR_CVG834G=y,
      or on BMIPS kernels when the dtbs target is used (in the latter case it
      admittedly shouldn't really build all the dtb.o files, but thats a
      separate issue).
      
      Fixes: 69583551 ("MIPS: BMIPS: rename bcm96358nb4ser to bcm6358-neufbox4-sercom")
      Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Reviewed-by: default avatarFrank Rowand <frowand.list@gmail.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: Kevin Cernekee <cernekee@gmail.com>
      Cc: <stable@vger.kernel.org> # 4.9+
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      edcb6157
    • Ross Zwisler's avatar
      loop: Fix lost writes caused by missing flag · bfdb222a
      Ross Zwisler authored
      commit 1d037577 upstream.
      
      The following commit:
      
      commit aa4d8616 ("block: loop: switch to VFS ITER_BVEC")
      
      replaced __do_lo_send_write(), which used ITER_KVEC iterators, with
      lo_write_bvec() which uses ITER_BVEC iterators.  In this change, though,
      the WRITE flag was lost:
      
      -       iov_iter_kvec(&from, ITER_KVEC | WRITE, &kvec, 1, len);
      +       iov_iter_bvec(&i, ITER_BVEC, bvec, 1, bvec->bv_len);
      
      This flag is necessary for the DAX case because we make decisions based on
      whether or not the iterator is a READ or a WRITE in dax_iomap_actor() and
      in dax_iomap_rw().
      
      We end up going through this path in configurations where we combine a PMEM
      device with 4k sectors, a loopback device and DAX.  The consequence of this
      missed flag is that what we intend as a write actually turns into a read in
      the DAX code, so no data is ever written.
      
      The very simplest test case is to create a loopback device and try and
      write a small string to it, then hexdump a few bytes of the device to see
      if the write took.  Without this patch you read back all zeros, with this
      you read back the string you wrote.
      
      For XFS this causes us to fail or panic during the following xfstests:
      
      	xfs/074 xfs/078 xfs/216 xfs/217 xfs/250
      
      For ext4 we have a similar issue where writes never happen, but we don't
      currently have any xfstests that use loopback and show this issue.
      
      Fix this by restoring the WRITE flag argument to iov_iter_bvec().  This
      causes the xfstests to all pass.
      
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: stable@vger.kernel.org
      Fixes: commit aa4d8616 ("block: loop: switch to VFS ITER_BVEC")
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarRoss Zwisler <ross.zwisler@linux.intel.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bfdb222a
    • Zhang Bo's avatar
      Input: matrix_keypad - fix race when disabling interrupts · 9bab71eb
      Zhang Bo authored
      commit ea4f7bd2 upstream.
      
      If matrix_keypad_stop() is executing and the keypad interrupt is triggered,
      disable_row_irqs() may be called by both matrix_keypad_interrupt() and
      matrix_keypad_stop() at the same time, causing interrupts to be disabled
      twice and the keypad being "stuck" after resuming.
      
      Take lock when setting keypad->stopped to ensure that ISR will not race
      with matrix_keypad_stop() disabling interrupts.
      Signed-off-by: default avatarZhang Bo <zbsdta@126.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bab71eb
    • Colin Ian King's avatar
      MIPS: OCTEON: irq: Check for null return on kzalloc allocation · 175b57ba
      Colin Ian King authored
      commit 902f4d06 upstream.
      
      The allocation of host_data is not null checked, leading to a null
      pointer dereference if the allocation fails. Fix this by adding a null
      check and return with -ENOMEM.
      
      Fixes: 64b139f9 ("MIPS: OCTEON: irq: add CIB and other fixes")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: default avatarDavid Daney <david.daney@cavium.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: "Steven J. Hill" <Steven.Hill@cavium.com>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 4.0+
      Patchwork: https://patchwork.linux-mips.org/patch/18658/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      175b57ba
    • Colin Ian King's avatar
      MIPS: ath25: Check for kzalloc allocation failure · 6e127d70
      Colin Ian King authored
      commit 1b22b4b2 upstream.
      
      Currently there is no null check on a failed allocation of board_data,
      and hence a null pointer dereference will occurr. Fix this by checking
      for the out of memory null pointer.
      
      Fixes: a7473717 ("MIPS: ath25: add board configuration detection")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: <stable@vger.kernel.org> # 3.19+
      Patchwork: https://patchwork.linux-mips.org/patch/18657/Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e127d70
    • Justin Chen's avatar
      MIPS: BMIPS: Do not mask IPIs during suspend · 8cbec159
      Justin Chen authored
      commit 06a3f0c9 upstream.
      
      Commit a3e6c1ef ("MIPS: IRQ: Fix disable_irq on CPU IRQs") fixes an
      issue where disable_irq did not actually disable the irq. The bug caused
      our IPIs to not be disabled, which actually is the correct behavior.
      
      With the addition of commit a3e6c1ef ("MIPS: IRQ: Fix disable_irq on
      CPU IRQs"), the IPIs were getting disabled going into suspend, thus
      schedule_ipi() was not being called. This caused deadlocks where
      schedulable task were not being scheduled and other cpus were waiting
      for them to do something.
      
      Add the IRQF_NO_SUSPEND flag so an irq_disable will not be called on the
      IPIs during suspend.
      Signed-off-by: default avatarJustin Chen <justinpopo6@gmail.com>
      Fixes: a3e6c1ef ("MIPS: IRQ: Fix disabled_irq on CPU IRQs")
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org
      Patchwork: https://patchwork.linux-mips.org/patch/17385/
      [jhogan@kernel.org: checkpatch: wrap long lines and fix commit refs]
      Signed-off-by: default avatarJames Hogan <jhogan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8cbec159
    • Alex Deucher's avatar
      drm/amdgpu: fix KV harvesting · 212dcfed
      Alex Deucher authored
      commit 545b0bcd upstream.
      
      Always set the graphics values to the max for the
      asic type.  E.g., some 1 RB chips are actually 1 RB chips,
      others are actually harvested 2 RB chips.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      212dcfed
    • Alex Deucher's avatar
      drm/radeon: fix KV harvesting · be1c6fff
      Alex Deucher authored
      commit 0b58d90f upstream.
      
      Always set the graphics values to the max for the
      asic type.  E.g., some 1 RB chips are actually 1 RB chips,
      others are actually harvested 2 RB chips.
      
      Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=99353Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be1c6fff
    • Rex Zhu's avatar
      drm/amdgpu: Notify sbios device ready before send request · 58f85220
      Rex Zhu authored
      commit 1bced75f upstream.
      
      it is required if a platform supports PCIe root complex
      core voltage reduction. After receiving this notification,
      SBIOS can apply default PCIe root complex power policy.
      Reviewed-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarRex Zhu <Rex.Zhu@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58f85220
    • Lukas Wunner's avatar
      drm/amdgpu: Fix deadlock on runtime suspend · 690a151a
      Lukas Wunner authored
      commit aa0aad57 upstream.
      
      amdgpu's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
      which waits for the output poll worker to finish if it's running.
      
      The output poll worker meanwhile calls pm_runtime_get_sync() in
      amdgpu's ->detect hooks, which waits for the ongoing suspend to finish,
      causing a deadlock.
      
      Fix by not acquiring a runtime PM ref if the ->detect hooks are called
      in the output poll worker's context.  This is safe because the poll
      worker is only enabled while runtime active and we know that
      ->runtime_suspend waits for it to finish.
      
      Fixes: d38ceaf9 ("drm/amdgpu: add core driver (v4)")
      Cc: stable@vger.kernel.org # v4.2+: 27d4ee03: workqueue: Allow retrieval of current task's work struct
      Cc: stable@vger.kernel.org # v4.2+: 25c058cc: drm: Allow determining if current task is output poll worker
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Tested-by: default avatarMike Lothian <mike@fireburn.co.uk>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/4c9bf72aacae1eef062bd134cd112e0770a7f121.1518338789.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      690a151a
    • Lukas Wunner's avatar
      drm/radeon: Fix deadlock on runtime suspend · 40539a86
      Lukas Wunner authored
      commit 15734fef upstream.
      
      radeon's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
      which waits for the output poll worker to finish if it's running.
      
      The output poll worker meanwhile calls pm_runtime_get_sync() in
      radeon's ->detect hooks, which waits for the ongoing suspend to finish,
      causing a deadlock.
      
      Fix by not acquiring a runtime PM ref if the ->detect hooks are called
      in the output poll worker's context.  This is safe because the poll
      worker is only enabled while runtime active and we know that
      ->runtime_suspend waits for it to finish.
      
      Stack trace for posterity:
      
        INFO: task kworker/0:3:31847 blocked for more than 120 seconds
        Workqueue: events output_poll_execute [drm_kms_helper]
        Call Trace:
         schedule+0x3c/0x90
         rpm_resume+0x1e2/0x690
         __pm_runtime_resume+0x3f/0x60
         radeon_lvds_detect+0x39/0xf0 [radeon]
         output_poll_execute+0xda/0x1e0 [drm_kms_helper]
         process_one_work+0x14b/0x440
         worker_thread+0x48/0x4a0
      
        INFO: task kworker/2:0:10493 blocked for more than 120 seconds.
        Workqueue: pm pm_runtime_work
        Call Trace:
         schedule+0x3c/0x90
         schedule_timeout+0x1b3/0x240
         wait_for_common+0xc2/0x180
         wait_for_completion+0x1d/0x20
         flush_work+0xfc/0x1a0
         __cancel_work_timer+0xa5/0x1d0
         cancel_delayed_work_sync+0x13/0x20
         drm_kms_helper_poll_disable+0x1f/0x30 [drm_kms_helper]
         radeon_pmops_runtime_suspend+0x3d/0xa0 [radeon]
         pci_pm_runtime_suspend+0x61/0x1a0
         vga_switcheroo_runtime_suspend+0x21/0x70
         __rpm_callback+0x32/0x70
         rpm_callback+0x24/0x80
         rpm_suspend+0x12b/0x640
         pm_runtime_work+0x6f/0xb0
         process_one_work+0x14b/0x440
         worker_thread+0x48/0x4a0
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94147
      Fixes: 10ebc0bc ("drm/radeon: add runtime PM support (v2)")
      Cc: stable@vger.kernel.org # v3.13+: 27d4ee03: workqueue: Allow retrieval of current task's work struct
      Cc: stable@vger.kernel.org # v3.13+: 25c058cc: drm: Allow determining if current task is output poll worker
      Cc: Ismo Toijala <ismo.toijala@gmail.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/64ea02c44f91dda19bc563902b97bbc699040392.1518338789.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      40539a86
    • Lukas Wunner's avatar
      drm/nouveau: Fix deadlock on runtime suspend · cff2a8c5
      Lukas Wunner authored
      commit d61a5c10 upstream.
      
      nouveau's ->runtime_suspend hook calls drm_kms_helper_poll_disable(),
      which waits for the output poll worker to finish if it's running.
      
      The output poll worker meanwhile calls pm_runtime_get_sync() in
      nouveau_connector_detect() which waits for the ongoing suspend to finish,
      causing a deadlock.
      
      Fix by not acquiring a runtime PM ref if nouveau_connector_detect() is
      called in the output poll worker's context.  This is safe because
      the poll worker is only enabled while runtime active and we know that
      ->runtime_suspend waits for it to finish.
      
      Other contexts calling nouveau_connector_detect() do require a runtime
      PM ref, these comprise:
      
        status_store() drm sysfs interface
        ->fill_modes drm callback
        drm_fb_helper_probe_connector_modes()
        drm_mode_getconnector()
        nouveau_connector_hotplug()
        nouveau_display_hpd_work()
        nv17_tv_set_property()
      
      Stack trace for posterity:
      
        INFO: task kworker/0:1:58 blocked for more than 120 seconds.
        Workqueue: events output_poll_execute [drm_kms_helper]
        Call Trace:
         schedule+0x28/0x80
         rpm_resume+0x107/0x6e0
         __pm_runtime_resume+0x47/0x70
         nouveau_connector_detect+0x7e/0x4a0 [nouveau]
         nouveau_connector_detect_lvds+0x132/0x180 [nouveau]
         drm_helper_probe_detect_ctx+0x85/0xd0 [drm_kms_helper]
         output_poll_execute+0x11e/0x1c0 [drm_kms_helper]
         process_one_work+0x184/0x380
         worker_thread+0x2e/0x390
      
        INFO: task kworker/0:2:252 blocked for more than 120 seconds.
        Workqueue: pm pm_runtime_work
        Call Trace:
         schedule+0x28/0x80
         schedule_timeout+0x1e3/0x370
         wait_for_completion+0x123/0x190
         flush_work+0x142/0x1c0
         nouveau_pmops_runtime_suspend+0x7e/0xd0 [nouveau]
         pci_pm_runtime_suspend+0x5c/0x180
         vga_switcheroo_runtime_suspend+0x1e/0xa0
         __rpm_callback+0xc1/0x200
         rpm_callback+0x1f/0x70
         rpm_suspend+0x13c/0x640
         pm_runtime_work+0x6e/0x90
         process_one_work+0x184/0x380
         worker_thread+0x2e/0x390
      
      Bugzilla: https://bugs.archlinux.org/task/53497
      Bugzilla: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870523
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70388#c33
      Fixes: 5addcf0a ("nouveau: add runtime PM support (v0.9)")
      Cc: stable@vger.kernel.org # v3.12+: 27d4ee03: workqueue: Allow retrieval of current task's work struct
      Cc: stable@vger.kernel.org # v3.12+: 25c058cc: drm: Allow determining if current task is output poll worker
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/b7d2cbb609a80f59ccabfdf479b9d5907c603ea1.1518338789.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cff2a8c5
    • Lukas Wunner's avatar
      drm: Allow determining if current task is output poll worker · 1112c0a3
      Lukas Wunner authored
      commit 25c058cc upstream.
      
      Introduce a helper to determine if the current task is an output poll
      worker.
      
      This allows us to fix a long-standing deadlock in several DRM drivers
      wherein the ->runtime_suspend callback waits for the output poll worker
      to finish and the worker in turn calls a ->detect callback which waits
      for runtime suspend to finish.  The ->detect callback is invoked from
      multiple call sites and waiting for runtime suspend to finish is the
      correct thing to do except if it's executing in the context of the
      worker.
      
      v2: Expand kerneldoc to specifically mention deadlock between
          output poll worker and autosuspend worker as use case. (Lyude)
      
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/3549ce32e7f1467102e70d3e9cbf70c46bfe108e.1518593424.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1112c0a3
    • Lukas Wunner's avatar
      workqueue: Allow retrieval of current task's work struct · e235f151
      Lukas Wunner authored
      commit 27d4ee03 upstream.
      
      Introduce a helper to retrieve the current task's work struct if it is
      a workqueue worker.
      
      This allows us to fix a long-standing deadlock in several DRM drivers
      wherein the ->runtime_suspend callback waits for a specific worker to
      finish and that worker in turn calls a function which waits for runtime
      suspend to finish.  That function is invoked from multiple call sites
      and waiting for runtime suspend to finish is the correct thing to do
      except if it's executing in the context of the worker.
      
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: Dave Airlie <airlied@redhat.com>
      Cc: Ben Skeggs <bskeggs@redhat.com>
      Cc: Alex Deucher <alexander.deucher@amd.com>
      Acked-by: default avatarTejun Heo <tj@kernel.org>
      Reviewed-by: default avatarLyude Paul <lyude@redhat.com>
      Signed-off-by: default avatarLukas Wunner <lukas@wunner.de>
      Link: https://patchwork.freedesktop.org/patch/msgid/2d8f603074131eb87e588d2b803a71765bd3a2fd.1518338788.git.lukas@wunner.deSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e235f151
    • himanshu.madhani@cavium.com's avatar
      scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS · 8bf4bc93
      himanshu.madhani@cavium.com authored
      commit 1514839b upstream.
      
      This patch fixes NULL pointer crash due to active timer running for abort
      IOCB.
      
      From crash dump analysis it was discoverd that get_next_timer_interrupt()
      encountered a corrupted entry on the timer list.
      
       #9 [ffff95e1f6f0fd40] page_fault at ffffffff914fe8f8
          [exception RIP: get_next_timer_interrupt+440]
          RIP: ffffffff90ea3088  RSP: ffff95e1f6f0fdf0  RFLAGS: 00010013
          RAX: ffff95e1f6451028  RBX: 000218e2389e5f40  RCX: 00000001232ad600
          RDX: 0000000000000001  RSI: ffff95e1f6f0fdf0  RDI: 0000000001232ad6
          RBP: ffff95e1f6f0fe40   R8: ffff95e1f6451188   R9: 0000000000000001
          R10: 0000000000000016  R11: 0000000000000016  R12: 00000001232ad5f6
          R13: ffff95e1f6450000  R14: ffff95e1f6f0fdf8  R15: ffff95e1f6f0fe10
          ORIG_RAX: ffffffffffffffff  CS: 0010  SS: 0018
      
      Looking at the assembly of get_next_timer_interrupt(), address came
      from %r8 (ffff95e1f6451188) which is pointing to list_head with single
      entry at ffff95e5ff621178.
      
       0xffffffff90ea307a <get_next_timer_interrupt+426>:      mov    (%r8),%rdx
       0xffffffff90ea307d <get_next_timer_interrupt+429>:      cmp    %r8,%rdx
       0xffffffff90ea3080 <get_next_timer_interrupt+432>:      je     0xffffffff90ea30a7 <get_next_timer_interrupt+471>
       0xffffffff90ea3082 <get_next_timer_interrupt+434>:      nopw   0x0(%rax,%rax,1)
       0xffffffff90ea3088 <get_next_timer_interrupt+440>:      testb  $0x1,0x18(%rdx)
      
       crash> rd ffff95e1f6451188 10
       ffff95e1f6451188:  ffff95e5ff621178 ffff95e5ff621178   x.b.....x.b.....
       ffff95e1f6451198:  ffff95e1f6451198 ffff95e1f6451198   ..E.......E.....
       ffff95e1f64511a8:  ffff95e1f64511a8 ffff95e1f64511a8   ..E.......E.....
       ffff95e1f64511b8:  ffff95e77cf509a0 ffff95e77cf509a0   ...|.......|....
       ffff95e1f64511c8:  ffff95e1f64511c8 ffff95e1f64511c8   ..E.......E.....
      
       crash> rd ffff95e5ff621178 10
       ffff95e5ff621178:  0000000000000001 ffff95e15936aa00   ..........6Y....
       ffff95e5ff621188:  0000000000000000 00000000ffffffff   ................
       ffff95e5ff621198:  00000000000000a0 0000000000000010   ................
       ffff95e5ff6211a8:  ffff95e5ff621198 000000000000000c   ..b.............
       ffff95e5ff6211b8:  00000f5800000000 ffff95e751f8d720   ....X... ..Q....
      
       ffff95e5ff621178 belongs to freed mempool object at ffff95e5ff621080.
      
       CACHE            NAME                 OBJSIZE  ALLOCATED     TOTAL  SLABS  SSIZE
       ffff95dc7fd74d00 mnt_cache                384      19785     24948    594    16k
         SLAB              MEMORY            NODE  TOTAL  ALLOCATED  FREE
         ffffdc5dabfd8800  ffff95e5ff620000     1     42         29    13
         FREE / [ALLOCATED]
          ffff95e5ff621080  (cpu 6 cache)
      
      Examining the contents of that memory reveals a pointer to a constant string
      in the driver, "abort\0", which is set by qla24xx_async_abort_cmd().
      
       crash> rd ffffffffc059277c 20
       ffffffffc059277c:  6e490074726f6261 0074707572726574   abort.Interrupt.
       ffffffffc059278c:  00676e696c6c6f50 6920726576697244   Polling.Driver i
       ffffffffc059279c:  646f6d207325206e 6974736554000a65   n %s mode..Testi
       ffffffffc05927ac:  636976656420676e 786c252074612065   ng device at %lx
       ffffffffc05927bc:  6b63656843000a2e 646f727020676e69   ...Checking prod
       ffffffffc05927cc:  6f20444920746375 0a2e706968632066   uct ID of chip..
       ffffffffc05927dc:  5120646e756f4600 204130303232414c   .Found QLA2200A
       ffffffffc05927ec:  43000a2e70696843 20676e696b636568   Chip...Checking
       ffffffffc05927fc:  65786f626c69616d 6c636e69000a2e73   mailboxes...incl
       ffffffffc059280c:  756e696c2f656475 616d2d616d642f78   ude/linux/dma-ma
      
       crash> struct -ox srb_iocb
       struct srb_iocb {
                 union {
                     struct {...} logio;
                     struct {...} els_logo;
                     struct {...} tmf;
                     struct {...} fxiocb;
                     struct {...} abt;
                     struct ct_arg ctarg;
                     struct {...} mbx;
                     struct {...} nack;
          [0x0 ] } u;
          [0xb8] struct timer_list timer;
          [0x108] void (*timeout)(void *);
       }
       SIZE: 0x110
      
       crash> ! bc
       ibase=16
       obase=10
       B8+40
       F8
      
      The object is a srb_t, and at offset 0xf8 within that structure
      (i.e. ffff95e5ff621080 + f8 -> ffff95e5ff621178) is a struct timer_list.
      
      Cc: <stable@vger.kernel.org> #4.4+
      Fixes: 4440e46d ("[SCSI] qla2xxx: Add IOCB Abort command asynchronous handling.")
      Signed-off-by: default avatarHimanshu Madhani <himanshu.madhani@cavium.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8bf4bc93
    • Leon Romanovsky's avatar
      RDMA/mlx5: Fix integer overflow while resizing CQ · 6f8b6627
      Leon Romanovsky authored
      commit 28e9091e upstream.
      
      The user can provide very large cqe_size which will cause to integer
      overflow as it can be seen in the following UBSAN warning:
      
      =======================================================================
      UBSAN: Undefined behaviour in drivers/infiniband/hw/mlx5/cq.c:1192:53
      signed integer overflow:
      64870 * 65536 cannot be represented in type 'int'
      CPU: 0 PID: 267 Comm: syzkaller605279 Not tainted 4.15.0+ #90 Hardware
      name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
      Call Trace:
       dump_stack+0xde/0x164
       ? dma_virt_map_sg+0x22c/0x22c
       ubsan_epilogue+0xe/0x81
       handle_overflow+0x1f3/0x251
       ? __ubsan_handle_negate_overflow+0x19b/0x19b
       ? lock_acquire+0x440/0x440
       mlx5_ib_resize_cq+0x17e7/0x1e40
       ? cyc2ns_read_end+0x10/0x10
       ? native_read_msr_safe+0x6c/0x9b
       ? cyc2ns_read_end+0x10/0x10
       ? mlx5_ib_modify_cq+0x220/0x220
       ? sched_clock_cpu+0x18/0x200
       ? lookup_get_idr_uobject+0x200/0x200
       ? rdma_lookup_get_uobject+0x145/0x2f0
       ib_uverbs_resize_cq+0x207/0x3e0
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ib_uverbs_write+0x7f9/0xef0
       ? cyc2ns_read_end+0x10/0x10
       ? print_irqtrace_events+0x280/0x280
       ? ib_uverbs_ex_create_cq+0x250/0x250
       ? uverbs_devnode+0x110/0x110
       ? sched_clock_cpu+0x18/0x200
       ? do_raw_spin_trylock+0x100/0x100
       ? __lru_cache_add+0x16e/0x290
       __vfs_write+0x10d/0x700
       ? uverbs_devnode+0x110/0x110
       ? kernel_read+0x170/0x170
       ? sched_clock_cpu+0x18/0x200
       ? security_file_permission+0x93/0x260
       vfs_write+0x1b0/0x550
       SyS_write+0xc7/0x1a0
       ? SyS_read+0x1a0/0x1a0
       ? trace_hardirqs_on_thunk+0x1a/0x1c
       entry_SYSCALL_64_fastpath+0x1e/0x8b
      RIP: 0033:0x433549
      RSP: 002b:00007ffe63bd1ea8 EFLAGS: 00000217
      =======================================================================
      
      Cc: syzkaller <syzkaller@googlegroups.com>
      Cc: <stable@vger.kernel.org> # 3.13
      Fixes: bde51583 ("IB/mlx5: Add support for resize CQ")
      Reported-by: default avatarNoa Osherovich <noaos@mellanox.com>
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f8b6627
    • Leon Romanovsky's avatar
      RDMA/ucma: Check that user doesn't overflow QP state · 52179bea
      Leon Romanovsky authored
      commit a5880b84 upstream.
      
      The QP state is limited and declared in enum ib_qp_state,
      but ucma user was able to supply any possible (u32) value.
      
      Reported-by: syzbot+0df1ab766f8924b1edba@syzkaller.appspotmail.com
      Fixes: 75216638 ("RDMA/cma: Export rdma cm interface to userspace")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52179bea
    • Leon Romanovsky's avatar
      RDMA/ucma: Limit possible option size · 42228fa0
      Leon Romanovsky authored
      commit 6a21dfc0 upstream.
      
      Users of ucma are supposed to provide size of option level,
      in most paths it is supposed to be equal to u8 or u16, but
      it is not the case for the IB path record, where it can be
      multiple of struct ib_path_rec_data.
      
      This patch takes simplest possible approach and prevents providing
      values more than possible to allocate.
      
      Reported-by: syzbot+a38b0e9f694c379ca7ce@syzkaller.appspotmail.com
      Fixes: 7ce86409 ("RDMA/ucma: Allow user space to set service type")
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42228fa0
  2. 11 Mar, 2018 18 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.121 · 8b5ab55d
      Greg Kroah-Hartman authored
      8b5ab55d
    • Ernesto A. Fernández's avatar
      btrfs: preserve i_mode if __btrfs_set_acl() fails · 0fc85640
      Ernesto A. Fernández authored
      commit d7d82496 upstream.
      
      When changing a file's acl mask, btrfs_set_acl() will first set the
      group bits of i_mode to the value of the mask, and only then set the
      actual extended attribute representing the new acl.
      
      If the second part fails (due to lack of space, for example) and the
      file had no acl attribute to begin with, the system will from now on
      assume that the mask permission bits are actual group permission bits,
      potentially granting access to the wrong users.
      
      Prevent this by restoring the original mode bits if __btrfs_set_acl
      fails.
      Signed-off-by: default avatarErnesto A. Fernández <ernesto.mnd.fernandez@gmail.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      0fc85640
    • Daniel Borkmann's avatar
      bpf, x64: implement retpoline for tail call · ea1c4ebe
      Daniel Borkmann authored
      
      [ upstream commit a493a87f ]
      
      Implement a retpoline [0] for the BPF tail call JIT'ing that converts
      the indirect jump via jmp %rax that is used to make the long jump into
      another JITed BPF image. Since this is subject to speculative execution,
      we need to control the transient instruction sequence here as well
      when CONFIG_RETPOLINE is set, and direct it into a pause + lfence loop.
      The latter aligns also with what gcc / clang emits (e.g. [1]).
      
      JIT dump after patch:
      
        # bpftool p d x i 1
         0: (18) r2 = map[id:1]
         2: (b7) r3 = 0
         3: (85) call bpf_tail_call#12
         4: (b7) r0 = 2
         5: (95) exit
      
      With CONFIG_RETPOLINE:
      
        # bpftool p d j i 1
        [...]
        33:	cmp    %edx,0x24(%rsi)
        36:	jbe    0x0000000000000072  |*
        38:	mov    0x24(%rbp),%eax
        3e:	cmp    $0x20,%eax
        41:	ja     0x0000000000000072  |
        43:	add    $0x1,%eax
        46:	mov    %eax,0x24(%rbp)
        4c:	mov    0x90(%rsi,%rdx,8),%rax
        54:	test   %rax,%rax
        57:	je     0x0000000000000072  |
        59:	mov    0x28(%rax),%rax
        5d:	add    $0x25,%rax
        61:	callq  0x000000000000006d  |+
        66:	pause                      |
        68:	lfence                     |
        6b:	jmp    0x0000000000000066  |
        6d:	mov    %rax,(%rsp)         |
        71:	retq                       |
        72:	mov    $0x2,%eax
        [...]
      
        * relative fall-through jumps in error case
        + retpoline for indirect jump
      
      Without CONFIG_RETPOLINE:
      
        # bpftool p d j i 1
        [...]
        33:	cmp    %edx,0x24(%rsi)
        36:	jbe    0x0000000000000063  |*
        38:	mov    0x24(%rbp),%eax
        3e:	cmp    $0x20,%eax
        41:	ja     0x0000000000000063  |
        43:	add    $0x1,%eax
        46:	mov    %eax,0x24(%rbp)
        4c:	mov    0x90(%rsi,%rdx,8),%rax
        54:	test   %rax,%rax
        57:	je     0x0000000000000063  |
        59:	mov    0x28(%rax),%rax
        5d:	add    $0x25,%rax
        61:	jmpq   *%rax               |-
        63:	mov    $0x2,%eax
        [...]
      
        * relative fall-through jumps in error case
        - plain indirect jump as before
      
        [0] https://support.google.com/faqs/answer/7625886
        [1] https://github.com/gcc-mirror/gcc/commit/a31e654fa107be968b802786d747e962c2fcdb2bSigned-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea1c4ebe
    • Mike Snitzer's avatar
      dm io: fix duplicate bio completion due to missing ref count · bb97a657
      Mike Snitzer authored
      commit feb7695f upstream.
      
      If only a subset of the devices associated with multiple regions support
      a given special operation (eg. DISCARD) then the dec_count() that is
      used to set error for the region must increment the io->count.
      
      Otherwise, when the dec_count() is called it can cause the dm-io
      caller's bio to be completed multiple times.  As was reported against
      the dm-mirror target that had mirror legs with a mix of discard
      capabilities.
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=196077Reported-by: default avatarZhang Yi <yizhan@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb97a657
    • Dan Williams's avatar
      mpls, nospec: Sanitize array index in mpls_label_ok() · e7f17d03
      Dan Williams authored
      commit 3968523f upstream.
      
      mpls_label_ok() validates that the 'platform_label' array index from a
      userspace netlink message payload is valid. Under speculation the
      mpls_label_ok() result may not resolve in the CPU pipeline until after
      the index is used to access an array element. Sanitize the index to zero
      to prevent userspace-controlled arbitrary out-of-bounds speculation, a
      precursor for a speculative execution side channel vulnerability.
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [bwh: Backported to 4.4:
       - mpls_label_ok() doesn't take an extack parameter
       - Drop change in mpls_getroute()]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7f17d03
    • David Ahern's avatar
      net: mpls: Pull common label check into helper · 4bd01ca7
      David Ahern authored
      commit b7b386f4 upstream.
      
      mpls_route_add and mpls_route_del have the same checks on the label.
      Move to a helper. Avoid duplicate extack messages in the next patch.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4bd01ca7
    • Alexey Kodanev's avatar
      sctp: verify size of a new chunk in _sctp_make_chunk() · 54b183ea
      Alexey Kodanev authored
      
      [ Upstream commit 07f2c7ab ]
      
      When SCTP makes INIT or INIT_ACK packet the total chunk length
      can exceed SCTP_MAX_CHUNK_LEN which leads to kernel panic when
      transmitting these packets, e.g. the crash on sending INIT_ACK:
      
      [  597.804948] skbuff: skb_over_panic: text:00000000ffae06e4 len:120168
                     put:120156 head:000000007aa47635 data:00000000d991c2de
                     tail:0x1d640 end:0xfec0 dev:<NULL>
      ...
      [  597.976970] ------------[ cut here ]------------
      [  598.033408] kernel BUG at net/core/skbuff.c:104!
      [  600.314841] Call Trace:
      [  600.345829]  <IRQ>
      [  600.371639]  ? sctp_packet_transmit+0x2095/0x26d0 [sctp]
      [  600.436934]  skb_put+0x16c/0x200
      [  600.477295]  sctp_packet_transmit+0x2095/0x26d0 [sctp]
      [  600.540630]  ? sctp_packet_config+0x890/0x890 [sctp]
      [  600.601781]  ? __sctp_packet_append_chunk+0x3b4/0xd00 [sctp]
      [  600.671356]  ? sctp_cmp_addr_exact+0x3f/0x90 [sctp]
      [  600.731482]  sctp_outq_flush+0x663/0x30d0 [sctp]
      [  600.788565]  ? sctp_make_init+0xbf0/0xbf0 [sctp]
      [  600.845555]  ? sctp_check_transmitted+0x18f0/0x18f0 [sctp]
      [  600.912945]  ? sctp_outq_tail+0x631/0x9d0 [sctp]
      [  600.969936]  sctp_cmd_interpreter.isra.22+0x3be1/0x5cb0 [sctp]
      [  601.041593]  ? sctp_sf_do_5_1B_init+0x85f/0xc30 [sctp]
      [  601.104837]  ? sctp_generate_t1_cookie_event+0x20/0x20 [sctp]
      [  601.175436]  ? sctp_eat_data+0x1710/0x1710 [sctp]
      [  601.233575]  sctp_do_sm+0x182/0x560 [sctp]
      [  601.284328]  ? sctp_has_association+0x70/0x70 [sctp]
      [  601.345586]  ? sctp_rcv+0xef4/0x32f0 [sctp]
      [  601.397478]  ? sctp6_rcv+0xa/0x20 [sctp]
      ...
      
      Here the chunk size for INIT_ACK packet becomes too big, mostly
      because of the state cookie (INIT packet has large size with
      many address parameters), plus additional server parameters.
      
      Later this chunk causes the panic in skb_put_data():
      
        skb_packet_transmit()
            sctp_packet_pack()
                skb_put_data(nskb, chunk->skb->data, chunk->skb->len);
      
      'nskb' (head skb) was previously allocated with packet->size
      from u16 'chunk->chunk_hdr->length'.
      
      As suggested by Marcelo we should check the chunk's length in
      _sctp_make_chunk() before trying to allocate skb for it and
      discard a chunk if its size bigger than SCTP_MAX_CHUNK_LEN.
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leinter@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54b183ea
    • Julian Wiedmann's avatar
      s390/qeth: fix IPA command submission race · f3b580d3
      Julian Wiedmann authored
      
      [ Upstream commit d22ffb5a ]
      
      If multiple IPA commands are build & sent out concurrently,
      fill_ipacmd_header() may assign a seqno value to a command that's
      different from what send_control_data() later assigns to this command's
      reply.
      This is due to other commands passing through send_control_data(),
      and incrementing card->seqno.ipa along the way.
      
      So one IPA command has no reply that's waiting for its seqno, while some
      other IPA command has multiple reply objects waiting for it.
      Only one of those waiting replies wins, and the other(s) times out and
      triggers a recovery via send_ipa_cmd().
      
      Fix this by making sure that the same seqno value is assigned to
      a command and its reply object.
      Do so immediately before submitting the command & while holding the
      irq_pending "lock", to produce nicely ascending seqnos.
      
      As a side effect, *all* IPA commands now use a reply object that's
      waiting for its actual seqno. Previously, early IPA commands that were
      submitted while the card was still DOWN used the "catch-all" IDX seqno.
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3b580d3
    • Julian Wiedmann's avatar
      s390/qeth: fix SETIP command handling · 290db9ba
      Julian Wiedmann authored
      
      [ Upstream commit 1c5b2216 ]
      
      send_control_data() applies some special handling to SETIP v4 IPA
      commands. But current code parses *all* command types for the SETIP
      command code. Limit the command code check to IPA commands.
      
      Fixes: 5b54e16f ("qeth: do not spin for SETIP ip assist command")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.vnet.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      290db9ba
    • Alexey Kodanev's avatar
      sctp: fix dst refcnt leak in sctp_v6_get_dst() · f99fb569
      Alexey Kodanev authored
      
      [ Upstream commit 957d761c ]
      
      When going through the bind address list in sctp_v6_get_dst() and
      the previously found address is better ('matchlen > bmatchlen'),
      the code continues to the next iteration without releasing currently
      held destination.
      
      Fix it by releasing 'bdst' before continue to the next iteration, and
      instead of introducing one more '!IS_ERR(bdst)' check for dst_release(),
      move the already existed one right after ip6_dst_lookup_flow(), i.e. we
      shouldn't proceed further if we get an error for the route lookup.
      
      Fixes: dbc2b5e9 ("sctp: fix src address selection if using secondary addresses for ipv6")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f99fb569
    • Tommi Rantala's avatar
      sctp: fix dst refcnt leak in sctp_v4_get_dst · c4faf87c
      Tommi Rantala authored
      
      [ Upstream commit 4a31a6b1 ]
      
      Fix dst reference count leak in sctp_v4_get_dst() introduced in commit
      410f0383 ("sctp: add routing output fallback"):
      
      When walking the address_list, successive ip_route_output_key() calls
      may return the same rt->dst with the reference incremented on each call.
      
      The code would not decrement the dst refcount when the dst pointer was
      identical from the previous iteration, causing the dst refcnt leak.
      
      Testcase:
        ip netns add TEST
        ip netns exec TEST ip link set lo up
        ip link add dummy0 type dummy
        ip link add dummy1 type dummy
        ip link add dummy2 type dummy
        ip link set dev dummy0 netns TEST
        ip link set dev dummy1 netns TEST
        ip link set dev dummy2 netns TEST
        ip netns exec TEST ip addr add 192.168.1.1/24 dev dummy0
        ip netns exec TEST ip link set dummy0 up
        ip netns exec TEST ip addr add 192.168.1.2/24 dev dummy1
        ip netns exec TEST ip link set dummy1 up
        ip netns exec TEST ip addr add 192.168.1.3/24 dev dummy2
        ip netns exec TEST ip link set dummy2 up
        ip netns exec TEST sctp_test -H 192.168.1.2 -P 20002 -h 192.168.1.1 -p 20000 -s -B 192.168.1.3
        ip netns del TEST
      
      In 4.4 and 4.9 kernels this results to:
        [  354.179591] unregister_netdevice: waiting for lo to become free. Usage count = 1
        [  364.419674] unregister_netdevice: waiting for lo to become free. Usage count = 1
        [  374.663664] unregister_netdevice: waiting for lo to become free. Usage count = 1
        [  384.903717] unregister_netdevice: waiting for lo to become free. Usage count = 1
        [  395.143724] unregister_netdevice: waiting for lo to become free. Usage count = 1
        [  405.383645] unregister_netdevice: waiting for lo to become free. Usage count = 1
        ...
      
      Fixes: 410f0383 ("sctp: add routing output fallback")
      Fixes: 0ca50d12 ("sctp: fix src address selection if using secondary addresses")
      Signed-off-by: default avatarTommi Rantala <tommi.t.rantala@nokia.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4faf87c
    • Alexey Kodanev's avatar
      udplite: fix partial checksum initialization · e44cd77c
      Alexey Kodanev authored
      
      [ Upstream commit 15f35d49 ]
      
      Since UDP-Lite is always using checksum, the following path is
      triggered when calculating pseudo header for it:
      
        udp4_csum_init() or udp6_csum_init()
          skb_checksum_init_zero_check()
            __skb_checksum_validate_complete()
      
      The problem can appear if skb->len is less than CHECKSUM_BREAK. In
      this particular case __skb_checksum_validate_complete() also invokes
      __skb_checksum_complete(skb). If UDP-Lite is using partial checksum
      that covers only part of a packet, the function will return bad
      checksum and the packet will be dropped.
      
      It can be fixed if we skip skb_checksum_init_zero_check() and only
      set the required pseudo header checksum for UDP-Lite with partial
      checksum before udp4_csum_init()/udp6_csum_init() functions return.
      
      Fixes: ed70fcfc ("net: Call skb_checksum_init in IPv4")
      Fixes: e4f45b7f ("net: Call skb_checksum_init in IPv6")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e44cd77c
    • Guillaume Nault's avatar
      ppp: prevent unregistered channels from connecting to PPP units · eae0a9ae
      Guillaume Nault authored
      
      [ Upstream commit 77f840e3 ]
      
      PPP units don't hold any reference on the channels connected to it.
      It is the channel's responsibility to ensure that it disconnects from
      its unit before being destroyed.
      In practice, this is ensured by ppp_unregister_channel() disconnecting
      the channel from the unit before dropping a reference on the channel.
      
      However, it is possible for an unregistered channel to connect to a PPP
      unit: register a channel with ppp_register_net_channel(), attach a
      /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel
      with ppp_unregister_channel() and finally connect the /dev/ppp file to
      a PPP unit with ioctl(PPPIOCCONNECT).
      
      Once in this situation, the channel is only held by the /dev/ppp file,
      which can be released at anytime and free the channel without letting
      the parent PPP unit know. Then the ppp structure ends up with dangling
      pointers in its ->channels list.
      
      Prevent this scenario by forbidding unregistered channels from
      connecting to PPP units. This maintains the code logic by keeping
      ppp_unregister_channel() responsible from disconnecting the channel if
      necessary and avoids modification on the reference counting mechanism.
      
      This issue seems to predate git history (successfully reproduced on
      Linux 2.6.26 and earlier PPP commits are unrelated).
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eae0a9ae
    • Nicolas Dichtel's avatar
      netlink: ensure to loop over all netns in genlmsg_multicast_allns() · 1b919f5a
      Nicolas Dichtel authored
      
      [ Upstream commit cb9f7a9a ]
      
      Nowadays, nlmsg_multicast() returns only 0 or -ESRCH but this was not the
      case when commit 134e6375 was pushed.
      However, there was no reason to stop the loop if a netns does not have
      listeners.
      Returns -ESRCH only if there was no listeners in all netns.
      
      To avoid having the same problem in the future, I didn't take the
      assumption that nlmsg_multicast() returns only 0 or -ESRCH.
      
      Fixes: 134e6375 ("genetlink: make netns aware")
      CC: Johannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b919f5a
    • Sabrina Dubroca's avatar
      net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 · 94522bee
      Sabrina Dubroca authored
      
      [ Upstream commit c7272c2f ]
      
      According to RFC 1191 sections 3 and 4, ICMP frag-needed messages
      indicating an MTU below 68 should be rejected:
      
          A host MUST never reduce its estimate of the Path MTU below 68
          octets.
      
      and (talking about ICMP frag-needed's Next-Hop MTU field):
      
          This field will never contain a value less than 68, since every
          router "must be able to forward a datagram of 68 octets without
          fragmentation".
      
      Furthermore, by letting net.ipv4.route.min_pmtu be set to negative
      values, we can end up with a very large PMTU when (-1) is cast into u32.
      
      Let's also make ip_rt_min_pmtu a u32, since it's only ever compared to
      unsigned ints.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94522bee
    • Jakub Kicinski's avatar
      net: fix race on decreasing number of TX queues · 65fe24fd
      Jakub Kicinski authored
      
      [ Upstream commit ac5b7019 ]
      
      netif_set_real_num_tx_queues() can be called when netdev is up.
      That usually happens when user requests change of number of
      channels/rings with ethtool -L.  The procedure for changing
      the number of queues involves resetting the qdiscs and setting
      dev->num_tx_queues to the new value.  When the new value is
      lower than the old one, extra care has to be taken to ensure
      ordering of accesses to the number of queues vs qdisc reset.
      
      Currently the queues are reset before new dev->num_tx_queues
      is assigned, leaving a window of time where packets can be
      enqueued onto the queues going down, leading to a likely
      crash in the drivers, since most drivers don't check if TX
      skbs are assigned to an active queue.
      
      Fixes: e6484930 ("net: allocate tx queues in register_netdevice")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65fe24fd
    • Arnd Bergmann's avatar
      ipv6 sit: work around bogus gcc-8 -Wrestrict warning · 2f9e04ca
      Arnd Bergmann authored
      
      [ Upstream commit ca79bec2 ]
      
      gcc-8 has a new warning that detects overlapping input and output arguments
      in memcpy(). It triggers for sit_init_net() calling ipip6_tunnel_clone_6rd(),
      which is actually correct:
      
      net/ipv6/sit.c: In function 'sit_init_net':
      net/ipv6/sit.c:192:3: error: 'memcpy' source argument is the same as destination [-Werror=restrict]
      
      The problem here is that the logic detecting the memcpy() arguments finds them
      to be the same, but the conditional that tests for the input and output of
      ipip6_tunnel_clone_6rd() to be identical is not a compile-time constant.
      
      We know that netdev_priv(t->dev) is the same as t for a tunnel device,
      and comparing "dev" directly here lets the compiler figure out as well
      that 'dev == sitn->fb_tunnel_dev' when called from sit_init_net(), so
      it no longer warns.
      
      This code is old, so Cc stable to make sure that we don't get the warning
      for older kernels built with new gcc.
      
      Cc: Martin Sebor <msebor@gmail.com>
      Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83456Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f9e04ca
    • Denis Du's avatar
      hdlc_ppp: carrier detect ok, don't turn off negotiation · 830dd26a
      Denis Du authored
      
      [ Upstream commit b6c3bad1 ]
      
      Sometimes when physical lines have a just good noise to make the protocol
      handshaking fail, but the carrier detect still good. Then after remove of
      the noise, nobody will trigger this protocol to be start again to cause
      the link to never come back. The fix is when the carrier is still on, not
      terminate the protocol handshaking.
      Signed-off-by: default avatarDenis Du <dudenis2000@yahoo.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      830dd26a