1. 11 Feb, 2020 19 commits
    • Eric Dumazet's avatar
      tcp: clear tp->delivered in tcp_disconnect() · 2d4bec3b
      Eric Dumazet authored
      [ Upstream commit 2fbdd562 ]
      
      tp->delivered needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: ddf1af6f ("tcp: new delivery accounting")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d4bec3b
    • Eric Dumazet's avatar
      tcp: clear tp->total_retrans in tcp_disconnect() · 4206e664
      Eric Dumazet authored
      [ Upstream commit c13c48c0 ]
      
      total_retrans needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: SeongJae Park <sjpark@amazon.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4206e664
    • Michael Chan's avatar
      bnxt_en: Fix TC queue mapping. · e7ec10b4
      Michael Chan authored
      [ Upstream commit 18e4960c ]
      
      The driver currently only calls netdev_set_tc_queue when the number of
      TCs is greater than 1.  Instead, the comparison should be greater than
      or equal to 1.  Even with 1 TC, we need to set the queue mapping.
      
      This bug can cause warnings when the number of TCs is changed back to 1.
      
      Fixes: 7809592d ("bnxt_en: Enable MSIX early in bnxt_init_one().")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7ec10b4
    • Nicolin Chen's avatar
      net: stmmac: Delete txtimer in suspend() · 0529d1ea
      Nicolin Chen authored
      [ Upstream commit 14b41a29 ]
      
      When running v5.5 with a rootfs on NFS, memory abort may happen in
      the system resume stage:
       Unable to handle kernel paging request at virtual address dead00000000012a
       [dead00000000012a] address between user and kernel address ranges
       pc : run_timer_softirq+0x334/0x3d8
       lr : run_timer_softirq+0x244/0x3d8
       x1 : ffff800011cafe80 x0 : dead000000000122
       Call trace:
        run_timer_softirq+0x334/0x3d8
        efi_header_end+0x114/0x234
        irq_exit+0xd0/0xd8
        __handle_domain_irq+0x60/0xb0
        gic_handle_irq+0x58/0xa8
        el1_irq+0xb8/0x180
        arch_cpu_idle+0x10/0x18
        do_idle+0x1d8/0x2b0
        cpu_startup_entry+0x24/0x40
        secondary_start_kernel+0x1b4/0x208
       Code: f9000693 a9400660 f9000020 b4000040 (f9000401)
       ---[ end trace bb83ceeb4c482071 ]---
       Kernel panic - not syncing: Fatal exception in interrupt
       SMP: stopping secondary CPUs
       SMP: failed to stop secondary CPUs 2-3
       Kernel Offset: disabled
       CPU features: 0x00002,2300aa30
       Memory Limit: none
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      It's found that stmmac_xmit() and stmmac_resume() sometimes might
      run concurrently, possibly resulting in a race condition between
      mod_timer() and setup_timer(), being called by stmmac_xmit() and
      stmmac_resume() respectively.
      
      Since the resume() runs setup_timer() every time, it'd be safer to
      have del_timer_sync() in the suspend() as the counterpart.
      Signed-off-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0529d1ea
    • Cong Wang's avatar
      net_sched: fix an OOB access in cls_tcindex · 478c4b2f
      Cong Wang authored
      [ Upstream commit 599be01e ]
      
      As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
      to compute the size of memory allocation, but cp->hash is
      set again after the allocation, this caused an out-of-bound
      access.
      
      So we have to move all cp->hash initialization and computation
      before the memory allocation. Move cp->mask and cp->shift together
      as cp->hash may need them for computation too.
      
      Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      478c4b2f
    • Eric Dumazet's avatar
      net: hsr: fix possible NULL deref in hsr_handle_frame() · d5524d5a
      Eric Dumazet authored
      [ Upstream commit 2b5b8251 ]
      
      hsr_port_get_rcu() can return NULL, so we need to be careful.
      
      general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
      CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
      RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
      Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
      RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
      RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
      RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
      R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
      R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
      FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
       __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
       __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
       __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
       process_backlog+0x206/0x750 net/core/dev.c:6144
       napi_poll net/core/dev.c:6582 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6650
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
       </IRQ>
      
      Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5524d5a
    • Ridge Kennedy's avatar
      l2tp: Allow duplicate session creation with UDP · f0af9cd8
      Ridge Kennedy authored
      [ Upstream commit 0d0d9a38 ]
      
      In the past it was possible to create multiple L2TPv3 sessions with the
      same session id as long as the sessions belonged to different tunnels.
      The resulting sessions had issues when used with IP encapsulated tunnels,
      but worked fine with UDP encapsulated ones. Some applications began to
      rely on this behaviour to avoid having to negotiate unique session ids.
      
      Some time ago a change was made to require session ids to be unique across
      all tunnels, breaking the applications making use of this "feature".
      
      This change relaxes the duplicate session id check to allow duplicates
      if both of the colliding sessions belong to UDP encapsulated tunnels.
      
      Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
      Signed-off-by: default avatarRidge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0af9cd8
    • Taehee Yoo's avatar
      gtp: use __GFP_NOWARN to avoid memalloc warning · f2f39420
      Taehee Yoo authored
      [ Upstream commit bd5cd35b ]
      
      gtp hashtable size is received by user-space.
      So, this hashtable size could be too large. If so, kmalloc will internally
      print a warning message.
      This warning message is actually not necessary for the gtp module.
      So, this patch adds __GFP_NOWARN to avoid this message.
      
      Splat looks like:
      [ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
      [ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
      [ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
      [ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
      [ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
      [ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
      [ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
      [ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
      [ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
      [ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
      [ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
      [ 2171.292328][ T1860] FS:  00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [ 2171.293409][ T1860] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
      [ 2171.295424][ T1860] Call Trace:
      [ 2171.295756][ T1860]  ? mark_held_locks+0xa5/0xe0
      [ 2171.296659][ T1860]  ? __alloc_pages_slowpath+0x21b0/0x21b0
      [ 2171.298283][ T1860]  ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
      [ 2171.298962][ T1860]  ? alloc_pages_current+0xc1/0x1a0
      [ 2171.299475][ T1860]  kmalloc_order+0x22/0x80
      [ 2171.299936][ T1860]  kmalloc_order_trace+0x1d/0x140
      [ 2171.300437][ T1860]  __kmalloc+0x302/0x3a0
      [ 2171.300896][ T1860]  gtp_newlink+0x293/0xba0 [gtp]
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2f39420
    • Eric Dumazet's avatar
      cls_rsvp: fix rsvp_policy · 1cb578dc
      Eric Dumazet authored
      [ Upstream commit cb3c0e6b ]
      
      NLA_BINARY can be confusing, since .len value represents
      the max size of the blob.
      
      cls_rsvp really wants user space to provide long enough data
      for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
      
      BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
      BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
      BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
      CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       rsvp_get net/sched/cls_rsvp.h:258 [inline]
       gen_handle net/sched/cls_rsvp.h:402 [inline]
       rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
       tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
       rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45b349
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2774 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
       netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6fa8c014 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cb578dc
    • Arnd Bergmann's avatar
      sparc32: fix struct ipc64_perm type definition · 9e154752
      Arnd Bergmann authored
      [ Upstream commit 34ca70ef ]
      
      As discussed in the strace issue tracker, it appears that the sparc32
      sysvipc support has been broken for the past 11 years. It was however
      working in compat mode, which is how it must have escaped most of the
      regular testing.
      
      The problem is that a cleanup patch inadvertently changed the uid/gid
      fields in struct ipc64_perm from 32-bit types to 16-bit types in uapi
      headers.
      
      Both glibc and uclibc-ng still use the original types, so they should
      work fine with compat mode, but not natively.  Change the definitions
      to use __kernel_uid32_t and __kernel_gid32_t again.
      
      Fixes: 83c86984 ("sparc: unify ipcbuf.h")
      Link: https://github.com/strace/strace/issues/116
      Cc: <stable@vger.kernel.org> # v2.6.29
      Cc: Sam Ravnborg <sam@ravnborg.org>
      Cc: "Dmitry V . Levin" <ldv@altlinux.org>
      Cc: Rich Felker <dalias@libc.org>
      Cc: libc-alpha@sourceware.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9e154752
    • Luca Coelho's avatar
      iwlwifi: mvm: fix NVM check for 3168 devices · 9940e10d
      Luca Coelho authored
      [ Upstream commit b3f20e09 ]
      
      We had a check on !NVM_EXT and then a check for NVM_SDP in the else
      block of this if.  The else block, obviously, could only be reached if
      using NVM_EXT, so it would never be NVM_SDP.
      
      Fix that by checking whether the nvm_type is IWL_NVM instead of
      checking for !IWL_NVM_EXT to solve this issue.
      Reported-by: default avatarStefan Sperling <stsp@stsp.name>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9940e10d
    • John Ogness's avatar
      printk: fix exclusive_console replaying · 8360063b
      John Ogness authored
      [ Upstream commit def97da1 ]
      
      Commit f92b070f ("printk: Do not miss new messages when replaying
      the log") introduced a new variable @exclusive_console_stop_seq to
      store when an exclusive console should stop printing. It should be
      set to the @console_seq value at registration. However, @console_seq
      is previously set to @syslog_seq so that the exclusive console knows
      where to begin. This results in the exclusive console immediately
      reactivating all the other consoles and thus repeating the messages
      for those consoles.
      
      Set @console_seq after @exclusive_console_stop_seq has stored the
      current @console_seq value.
      
      Fixes: f92b070f ("printk: Do not miss new messages when replaying the log")
      Link: http://lkml.kernel.org/r/20191219115322.31160-1-john.ogness@linutronix.de
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarJohn Ogness <john.ogness@linutronix.de>
      Acked-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8360063b
    • Jan Kara's avatar
      udf: Allow writing to 'Rewritable' partitions · 97bc3b7d
      Jan Kara authored
      [ Upstream commit 15fb05fd ]
      
      UDF 2.60 standard states in section 2.2.14.2:
      
          A partition with Access Type 3 (rewritable) shall define a Freed
          Space Bitmap or a Freed Space Table, see 2.3.3. All other partitions
          shall not define a Freed Space Bitmap or a Freed Space Table.
      
          Rewritable partitions are used on media that require some form of
          preprocessing before re-writing data (for example legacy MO). Such
          partitions shall use Access Type 3.
      
          Overwritable partitions are used on media that do not require
          preprocessing before overwriting data (for example: CD-RW, DVD-RW,
          DVD+RW, DVD-RAM, BD-RE, HD DVD-Rewritable). Such partitions shall
          use Access Type 4.
      
      however older versions of the standard didn't have this wording and
      there are tools out there that create UDF filesystems with rewritable
      partitions but that don't contain a Freed Space Bitmap or a Freed Space
      Table on media that does not require pre-processing before overwriting a
      block. So instead of forcing media with rewritable partition read-only,
      base this decision on presence of a Freed Space Bitmap or a Freed Space
      Table.
      Reported-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Fixes: b085fbe2 ("udf: Fix crash during mount")
      Link: https://lore.kernel.org/linux-fsdevel/20200112144735.hj2emsoy4uwsouxz@paliSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      97bc3b7d
    • Pawan Gupta's avatar
      x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR · 218ab8f8
      Pawan Gupta authored
      [ Upstream commit 5efc6fa9 ]
      
      /proc/cpuinfo currently reports Hardware Lock Elision (HLE) feature to
      be present on boot cpu even if it was disabled during the bootup. This
      is because cpuinfo_x86->x86_capability HLE bit is not updated after TSX
      state is changed via the new MSR IA32_TSX_CTRL.
      
      Update the cached HLE bit also since it is expected to change after an
      update to CPUID_CLEAR bit in MSR IA32_TSX_CTRL.
      
      Fixes: 95c5824f ("x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default")
      Signed-off-by: default avatarPawan Gupta <pawan.kumar.gupta@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarNeelima Krishnan <neelima.krishnan@intel.com>
      Reviewed-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/2529b99546294c893dfa1c89e2b3e46da3369a59.1578685425.git.pawan.kumar.gupta@linux.intel.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      218ab8f8
    • Gang He's avatar
      ocfs2: fix oops when writing cloned file · e31057d4
      Gang He authored
      [ Upstream commit 2d797e9f ]
      
      Writing a cloned file triggers a kernel oops and the user-space command
      process is also killed by the system.  The bug can be reproduced stably
      via:
      
      1) create a file under ocfs2 file system directory.
      
        journalctl -b > aa.txt
      
      2) create a cloned file for this file.
      
        reflink aa.txt bb.txt
      
      3) write the cloned file with dd command.
      
        dd if=/dev/zero of=bb.txt bs=512 count=1 conv=notrunc
      
      The dd command is killed by the kernel, then you can see the oops message
      via dmesg command.
      
      [  463.875404] BUG: kernel NULL pointer dereference, address: 0000000000000028
      [  463.875413] #PF: supervisor read access in kernel mode
      [  463.875416] #PF: error_code(0x0000) - not-present page
      [  463.875418] PGD 0 P4D 0
      [  463.875425] Oops: 0000 [#1] SMP PTI
      [  463.875431] CPU: 1 PID: 2291 Comm: dd Tainted: G           OE     5.3.16-2-default
      [  463.875433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      [  463.875500] RIP: 0010:ocfs2_refcount_cow+0xa4/0x5d0 [ocfs2]
      [  463.875505] Code: 06 89 6c 24 38 89 eb f6 44 24 3c 02 74 be 49 8b 47 28
      [  463.875508] RSP: 0018:ffffa2cb409dfce8 EFLAGS: 00010202
      [  463.875512] RAX: ffff8b1ebdca8000 RBX: 0000000000000001 RCX: ffff8b1eb73a9df0
      [  463.875515] RDX: 0000000000056a01 RSI: 0000000000000000 RDI: 0000000000000000
      [  463.875517] RBP: 0000000000000001 R08: ffff8b1eb73a9de0 R09: 0000000000000000
      [  463.875520] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
      [  463.875522] R13: ffff8b1eb922f048 R14: 0000000000000000 R15: ffff8b1eb922f048
      [  463.875526] FS:  00007f8f44d15540(0000) GS:ffff8b1ebeb00000(0000) knlGS:0000000000000000
      [  463.875529] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  463.875532] CR2: 0000000000000028 CR3: 000000003c17a000 CR4: 00000000000006e0
      [  463.875546] Call Trace:
      [  463.875596]  ? ocfs2_inode_lock_full_nested+0x18b/0x960 [ocfs2]
      [  463.875648]  ocfs2_file_write_iter+0xaf8/0xc70 [ocfs2]
      [  463.875672]  new_sync_write+0x12d/0x1d0
      [  463.875688]  vfs_write+0xad/0x1a0
      [  463.875697]  ksys_write+0xa1/0xe0
      [  463.875710]  do_syscall_64+0x60/0x1f0
      [  463.875743]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  463.875758] RIP: 0033:0x7f8f4482ed44
      [  463.875762] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00
      [  463.875765] RSP: 002b:00007fff300a79d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [  463.875769] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8f4482ed44
      [  463.875771] RDX: 0000000000000200 RSI: 000055f771b5c000 RDI: 0000000000000001
      [  463.875774] RBP: 0000000000000200 R08: 00007f8f44af9c78 R09: 0000000000000003
      [  463.875776] R10: 000000000000089f R11: 0000000000000246 R12: 000055f771b5c000
      [  463.875779] R13: 0000000000000200 R14: 0000000000000000 R15: 000055f771b5c000
      
      This regression problem was introduced by commit e74540b2 ("ocfs2:
      protect extent tree in ocfs2_prepare_inode_for_write()").
      
      Link: http://lkml.kernel.org/r/20200121050153.13290-1-ghe@suse.com
      Fixes: e74540b2 ("ocfs2: protect extent tree in ocfs2_prepare_inode_for_write()").
      Signed-off-by: default avatarGang He <ghe@suse.com>
      Reviewed-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e31057d4
    • Johan Hovold's avatar
      media: iguanair: fix endpoint sanity check · df3eb85b
      Johan Hovold authored
      [ Upstream commit 1b257870 ]
      
      Make sure to use the current alternate setting, which need not be the
      first one by index, when verifying the endpoint descriptors and
      initialising the URBs.
      
      Failing to do so could cause the driver to misbehave or trigger a WARN()
      in usb_submit_urb() that kernels with panic_on_warn set would choke on.
      
      Fixes: 26ff6313 ("[media] Add support for the IguanaWorks USB IR Transceiver")
      Fixes: ab1cbdf1 ("media: iguanair: add sanity checks")
      Cc: stable <stable@vger.kernel.org>     # 3.6
      Cc: Oliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      df3eb85b
    • YueHaibing's avatar
      kernel/module: Fix memleak in module_add_modinfo_attrs() · bdfaaf35
      YueHaibing authored
      [ Upstream commit f6d061d6 ]
      
      In module_add_modinfo_attrs() if sysfs_create_file() fails
      on the first iteration of the loop (so i = 0), we forget to
      free the modinfo_attrs.
      
      Fixes: bc6f2a75 ("kernel/module: Fix mem leak in module_add_modinfo_attrs")
      Reviewed-by: default avatarMiroslav Benes <mbenes@suse.cz>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bdfaaf35
    • Miklos Szeredi's avatar
      ovl: fix lseek overflow on 32bit · 4f98fe43
      Miklos Szeredi authored
      [ Upstream commit a4ac9d45 ]
      
      ovl_lseek() is using ssize_t to return the value from vfs_llseek().  On a
      32-bit kernel ssize_t is a 32-bit signed int, which overflows above 2 GB.
      
      Assign the return value of vfs_llseek() to loff_t to fix this.
      Reported-by: default avatarBoris Gjenero <boris.gjenero@gmail.com>
      Fixes: 9e46b840 ("ovl: support stacked SEEK_HOLE/SEEK_DATA")
      Cc: <stable@vger.kernel.org> # v4.19
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4f98fe43
    • Icenowy Zheng's avatar
      Revert "drm/sun4i: dsi: Change the start delay calculation" · 41be0c32
      Icenowy Zheng authored
      [ Upstream commit a00d17e0 ]
      
      This reverts commit da676c6a.
      
      The original commit adds a start parameter to the calculation of the
      start delay according to some old BSP versions from Allwinner. However,
      there're two ways to add this delay -- add it in DSI controller or add
      it in the TCON. Add it in both controllers won't work.
      
      The code before this commit is picked from new versions of BSP kernel,
      which has a comment for the 1 that says "put start_delay to tcon". By
      checking the sun4i_tcon0_mode_set_cpu() in sun4i_tcon driver, it has
      already added this delay, so we shouldn't repeat to add the delay in DSI
      controller, otherwise the timing won't match.
      Signed-off-by: default avatarIcenowy Zheng <icenowy@aosc.io>
      Reviewed-by: default avatarJagan Teki <jagan@amarulasolutions.com>
      Signed-off-by: default avatarMaxime Ripard <mripard@kernel.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191001080253.6135-2-icenowy@aosc.ioSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      41be0c32
  2. 05 Feb, 2020 21 commits