1. 26 Jul, 2019 40 commits
    • Benjamin Block's avatar
      scsi: zfcp: fix request object use-after-free in send path causing seqno errors · 30724ade
      Benjamin Block authored
      commit b76becde upstream.
      
      With a recent change to our send path for FSF commands we introduced a
      possible use-after-free of request-objects, that might further lead to
      zfcp crafting bad requests, which the FCP channel correctly complains
      about with an error (FSF_PROT_SEQ_NUMB_ERROR). This error is then handled
      by an adapter-wide recovery.
      
      The following sequence illustrates the possible use-after-free:
      
          Send Path:
      
              int zfcp_fsf_open_port(struct zfcp_erp_action *erp_action)
              {
                      struct zfcp_fsf_req *req;
                      ...
                      spin_lock_irq(&qdio->req_q_lock);
              //                     ^^^^^^^^^^^^^^^^
              //                     protects QDIO queue during sending
                      ...
                      req = zfcp_fsf_req_create(qdio,
                                                FSF_QTCB_OPEN_PORT_WITH_DID,
                                                SBAL_SFLAGS0_TYPE_READ,
                                                qdio->adapter->pool.erp_req);
              //            ^^^^^^^^^^^^^^^^^^^
              //            allocation of the request-object
                      ...
                      retval = zfcp_fsf_req_send(req);
                      ...
                      spin_unlock_irq(&qdio->req_q_lock);
                      return retval;
              }
      
              static int zfcp_fsf_req_send(struct zfcp_fsf_req *req)
              {
                      struct zfcp_adapter *adapter = req->adapter;
                      struct zfcp_qdio *qdio = adapter->qdio;
                      ...
                      zfcp_reqlist_add(adapter->req_list, req);
              //      ^^^^^^^^^^^^^^^^
              //      add request to our driver-internal hash-table for tracking
              //      (protected by separate lock req_list->lock)
                      ...
                      if (zfcp_qdio_send(qdio, &req->qdio_req)) {
              //          ^^^^^^^^^^^^^^
              //          hand-off the request to FCP channel;
              //          the request can complete at any point now
                              ...
                      }
      
                      /* Don't increase for unsolicited status */
                      if (!zfcp_fsf_req_is_status_read_buffer(req))
              //           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
              //           possible use-after-free
                              adapter->fsf_req_seq_no++;
              //                       ^^^^^^^^^^^^^^^^
              //                       because of the use-after-free we might
              //                       miss this accounting, and as follow-up
              //                       this results in the FCP channel error
              //                       FSF_PROT_SEQ_NUMB_ERROR
                      adapter->req_no++;
      
                      return 0;
              }
      
              static inline bool
              zfcp_fsf_req_is_status_read_buffer(struct zfcp_fsf_req *req)
              {
                      return req->qtcb == NULL;
              //             ^^^^^^^^^
              //             possible use-after-free
              }
      
          Response Path:
      
              void zfcp_fsf_reqid_check(struct zfcp_qdio *qdio, int sbal_idx)
              {
                      ...
                      struct zfcp_fsf_req *fsf_req;
                      ...
                      for (idx = 0; idx < QDIO_MAX_ELEMENTS_PER_BUFFER; idx++) {
                              ...
                              fsf_req = zfcp_reqlist_find_rm(adapter->req_list,
                                                             req_id);
              //                        ^^^^^^^^^^^^^^^^^^^^
              //                        remove request from our driver-internal
              //                        hash-table (lock req_list->lock)
                              ...
                              zfcp_fsf_req_complete(fsf_req);
                      }
              }
      
              static void zfcp_fsf_req_complete(struct zfcp_fsf_req *req)
              {
                      ...
                      if (likely(req->status & ZFCP_STATUS_FSFREQ_CLEANUP))
                              zfcp_fsf_req_free(req);
              //              ^^^^^^^^^^^^^^^^^
              //              free memory for request-object
                      else
                              complete(&req->completion);
              //              ^^^^^^^^
              //              completion notification for code-paths that wait
              //              synchronous for the completion of the request; in
              //              those the memory is freed separately
              }
      
      The result of the use-after-free only affects the send path, and can not
      lead to any data corruption. In case we miss the sequence-number
      accounting, because the memory was already re-purposed, the next FSF
      command will fail with said FCP channel error, and we will recover the
      whole adapter. This causes no additional errors, but it slows down
      traffic.  There is a slight chance of the same thing happen again
      recursively after the adapter recovery, but so far this has not been seen.
      
      This was seen under z/VM, where the send path might run on a virtual CPU
      that gets scheduled away by z/VM, while the return path might still run,
      and so create the necessary timing. Running with KASAN can also slow down
      the kernel sufficiently to run into this user-after-free, and then see the
      report by KASAN.
      
      To fix this, simply pull the test for the sequence-number accounting in
      front of the hand-off to the FCP channel (this information doesn't change
      during hand-off), but leave the sequence-number accounting itself where it
      is.
      
      To make future regressions of the same kind less likely, add comments to
      all closely related code-paths.
      Signed-off-by: default avatarBenjamin Block <bblock@linux.ibm.com>
      Fixes: f9eca022 ("scsi: zfcp: drop duplicate fsf_command from zfcp_fsf_req which is also in QTCB header")
      Cc: <stable@vger.kernel.org> #5.0+
      Reviewed-by: default avatarSteffen Maier <maier@linux.ibm.com>
      Reviewed-by: default avatarJens Remus <jremus@linux.ibm.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30724ade
    • Damien Le Moal's avatar
      scsi: sd_zbc: Fix compilation warning · 7b10d7e3
      Damien Le Moal authored
      commit 0cdc5858 upstream.
      
      kbuild test robot gets the following compilation warning using gcc 7.4
      cross compilation for c6x (GCC_VERSION=7.4.0 make.cross ARCH=c6x).
      
         In file included from include/asm-generic/bug.h:18:0,
                          from arch/c6x/include/asm/bug.h:12,
                          from include/linux/bug.h:5,
                          from include/linux/thread_info.h:12,
                          from include/asm-generic/current.h:5,
                          from ./arch/c6x/include/generated/asm/current.h:1,
                          from include/linux/sched.h:12,
                          from include/linux/blkdev.h:5,
                          from drivers//scsi/sd_zbc.c:11:
         drivers//scsi/sd_zbc.c: In function 'sd_zbc_read_zones':
      >> include/linux/kernel.h:62:48: warning: 'zone_blocks' may be used
         uninitialized in this function [-Wmaybe-uninitialized]
          #define __round_mask(x, y) ((__typeof__(x))((y)-1))
                                                         ^
         drivers//scsi/sd_zbc.c:464:6: note: 'zone_blocks' was declared here
           u32 zone_blocks;
               ^~~~~~~~~~~
      
      This is a false-positive report. The variable zone_blocks is always
      initialized in sd_zbc_check_zones() before use. It is not initialized
      only and only if sd_zbc_check_zones() fails.
      
      Avoid this warning by initializing the zone_blocks variable to 0.
      
      Fixes: 5f832a39 ("scsi: sd_zbc: Fix sd_zbc_check_zones() error checks")
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b10d7e3
    • Ming Lei's avatar
      scsi: core: Fix race on creating sense cache · f263fbd2
      Ming Lei authored
      commit f9b0530f upstream.
      
      When scsi_init_sense_cache(host) is called concurrently from different
      hosts, each code path may find that no cache has been created and
      allocate a new one. The lack of locking can lead to potentially
      overriding a cache allocated by a different host.
      
      Fix the issue by moving 'mutex_lock(&scsi_sense_cache_mutex)' before
      scsi_select_sense_cache().
      
      Fixes: 0a6ac4ee ("scsi: respect unchecked_isa_dma for blk-mq")
      Cc: Stable <stable@vger.kernel.org>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: Ewan D. Milne <emilne@redhat.com>
      Signed-off-by: default avatarMing Lei <ming.lei@redhat.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f263fbd2
    • Finn Thain's avatar
      Revert "scsi: ncr5380: Increase register polling limit" · 38fd8cec
      Finn Thain authored
      commit 25fcf94a upstream.
      
      This reverts commit 4822827a.
      
      The purpose of that commit was to suppress a timeout warning message which
      appeared to be caused by target latency. But suppressing the warning is
      undesirable as the warning may indicate a messed up transfer count.
      
      Another problem with that commit is that 15 ms is too long to keep
      interrupts disabled as interrupt latency can cause system clock drift and
      other problems.
      
      Cc: Michael Schmitz <schmitzmic@gmail.com>
      Cc: stable@vger.kernel.org
      Fixes: 4822827a ("scsi: ncr5380: Increase register polling limit")
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38fd8cec
    • Finn Thain's avatar
      scsi: NCR5380: Handle PDMA failure reliably · 3e7b99aa
      Finn Thain authored
      commit f9dfed1c upstream.
      
      A PDMA error is handled in the core driver by setting the device's 'borken'
      flag and aborting the command. Unfortunately, do_abort() is not
      dependable. Perform a SCSI bus reset instead, to make sure that the command
      fails and gets retried.
      
      Cc: Michael Schmitz <schmitzmic@gmail.com>
      Cc: stable@vger.kernel.org # v4.20+
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e7b99aa
    • Finn Thain's avatar
      scsi: NCR5380: Always re-enable reselection interrupt · 45749b15
      Finn Thain authored
      commit 57f31326 upstream.
      
      The reselection interrupt gets disabled during selection and must be
      re-enabled when hostdata->connected becomes NULL. If it isn't re-enabled a
      disconnected command may time-out or the target may wedge the bus while
      trying to reselect the host. This can happen after a command is aborted.
      
      Fix this by enabling the reselection interrupt in NCR5380_main() after
      calls to NCR5380_select() and NCR5380_information_transfer() return.
      
      Cc: Michael Schmitz <schmitzmic@gmail.com>
      Cc: stable@vger.kernel.org # v4.9+
      Fixes: 8b00c3d5 ("ncr5380: Implement new eh_abort_handler")
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Tested-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      45749b15
    • Juergen Gross's avatar
      xen: let alloc_xenballooned_pages() fail if not enough memory free · 1548da48
      Juergen Gross authored
      commit a1078e82 upstream.
      
      Instead of trying to allocate pages with GFP_USER in
      add_ballooned_pages() check the available free memory via
      si_mem_available(). GFP_USER is far less limiting memory exhaustion
      than the test via si_mem_available().
      
      This will avoid dom0 running out of memory due to excessive foreign
      page mappings especially on ARM and on x86 in PVH mode, as those don't
      have a pre-ballooned area which can be used for foreign mappings.
      
      As the normal ballooning suffers from the same problem don't balloon
      down more than si_mem_available() pages in one iteration. At the same
      time limit the default maximum number of retries.
      
      This is part of XSA-300.
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1548da48
    • Denis Efremov's avatar
      floppy: fix out-of-bounds read in copy_buffer · 0a67173b
      Denis Efremov authored
      [ Upstream commit da99466a ]
      
      This fixes a global out-of-bounds read access in the copy_buffer
      function of the floppy driver.
      
      The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
      and head fields (unsigned int) of the floppy_drive structure are used to
      compute the max_sector (int) in the make_raw_rw_request function.  It is
      possible to overflow the max_sector.  Next, max_sector is passed to the
      copy_buffer function and used in one of the memcpy calls.
      
      An unprivileged user could trigger the bug if the device is accessible,
      but requires a floppy disk to be inserted.
      
      The patch adds the check for the .sect * .head multiplication for not
      overflowing in the set_geometry function.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0a67173b
    • Denis Efremov's avatar
      floppy: fix invalid pointer dereference in drive_name · deaa1395
      Denis Efremov authored
      [ Upstream commit 9b04609b ]
      
      This fixes the invalid pointer dereference in the drive_name function of
      the floppy driver.
      
      The native_format field of the struct floppy_drive_params is used as
      floppy_type array index in the drive_name function.  Thus, the field
      should be checked the same way as the autodetect field.
      
      To trigger the bug, one could use a value out of range and set the drive
      parameters with the FDSETDRVPRM ioctl.  Next, FDGETDRVTYP ioctl should
      be used to call the drive_name.  A floppy disk is not required to be
      inserted.
      
      CAP_SYS_ADMIN is required to call FDSETDRVPRM.
      
      The patch adds the check for a value of the native_format field to be in
      the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
      indices.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      deaa1395
    • Denis Efremov's avatar
      floppy: fix out-of-bounds read in next_valid_format · acf80219
      Denis Efremov authored
      [ Upstream commit 5635f897 ]
      
      This fixes a global out-of-bounds read access in the next_valid_format
      function of the floppy driver.
      
      The values from autodetect field of the struct floppy_drive_params are
      used as indices for the floppy_type array in the next_valid_format
      function 'floppy_type[DP->autodetect[probed_format]].sect'.
      
      To trigger the bug, one could use a value out of range and set the drive
      parameters with the FDSETDRVPRM ioctl.  A floppy disk is not required to
      be inserted.
      
      CAP_SYS_ADMIN is required to call FDSETDRVPRM.
      
      The patch adds the check for values of the autodetect field to be in the
      '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      acf80219
    • Denis Efremov's avatar
      floppy: fix div-by-zero in setup_format_params · a2bd7b41
      Denis Efremov authored
      [ Upstream commit f3554aeb ]
      
      This fixes a divide by zero error in the setup_format_params function of
      the floppy driver.
      
      Two consecutive ioctls can trigger the bug: The first one should set the
      drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
      to become zero.  Next, the floppy format operation should be called.
      
      A floppy disk is not required to be inserted.  An unprivileged user
      could trigger the bug if the device is accessible.
      
      The patch checks F_SECT_PER_TRACK for a non-zero value in the
      set_geometry function.  The proper check should involve a reasonable
      upper limit for the .sect and .rate fields, but it could change the
      UAPI.
      
      The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
      cancels the formatting operation in case of zero.
      
      The bug was found by syzkaller.
      Signed-off-by: default avatarDenis Efremov <efremov@ispras.ru>
      Tested-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a2bd7b41
    • Andrii Nakryiko's avatar
      libbpf: fix another GCC8 warning for strncpy · ae01e55f
      Andrii Nakryiko authored
      [ Upstream commit 763ff0e7 ]
      
      Similar issue was fixed in cdfc7f88 ("libbpf: fix GCC8 warning for
      strncpy") already. This one was missed. Fixing now.
      
      Cc: Magnus Karlsson <magnus.karlsson@intel.com>
      Signed-off-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Acked-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ae01e55f
    • Dennis Zhou's avatar
      blk-iolatency: fix STS_AGAIN handling · 9a3aaff7
      Dennis Zhou authored
      [ Upstream commit c9b3007f ]
      
      The iolatency controller is based on rq_qos. It increments on
      rq_qos_throttle() and decrements on either rq_qos_cleanup() or
      rq_qos_done_bio(). a3fb01ba fixes the double accounting issue where
      blk_mq_make_request() may call both rq_qos_cleanup() and
      rq_qos_done_bio() on REQ_NO_WAIT. So checking STS_AGAIN prevents the
      double decrement.
      
      The above works upstream as the only way we can get STS_AGAIN is from
      blk_mq_get_request() failing. The STS_AGAIN handling isn't a real
      problem as bio_endio() skipping only happens on reserved tag allocation
      failures which can only be caused by driver bugs and already triggers
      WARN.
      
      However, the fix creates a not so great dependency on how STS_AGAIN can
      be propagated. Internally, we (Facebook) carry a patch that kills read
      ahead if a cgroup is io congested or a fatal signal is pending. This
      combined with chained bios progagate their bi_status to the parent is
      not already set can can cause the parent bio to not clean up properly
      even though it was successful. This consequently leaks the inflight
      counter and can hang all IOs under that blkg.
      
      To nip the adverse interaction early, this removes the rq_qos_cleanup()
      callback in iolatency in favor of cleaning up always on the
      rq_qos_done_bio() path.
      
      Fixes: a3fb01ba ("blk-iolatency: only account submitted bios")
      Debugged-by: default avatarTejun Heo <tj@kernel.org>
      Debugged-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarDennis Zhou <dennis@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9a3aaff7
    • Colin Ian King's avatar
      iavf: fix dereference of null rx_buffer pointer · c05dbbdd
      Colin Ian King authored
      [ Upstream commit 9fe06a51 ]
      
      A recent commit efa14c39 ("iavf: allow null RX descriptors") added
      a null pointer sanity check on rx_buffer, however, rx_buffer is being
      dereferenced before that check, which implies a null pointer dereference
      bug can potentially occur.  Fix this by only dereferencing rx_buffer
      until after the null pointer check.
      
      Addresses-Coverity: ("Dereference before null check")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c05dbbdd
    • Huazhong Tan's avatar
      net: hns3: fix __QUEUE_STATE_STACK_XOFF not cleared issue · 5be48072
      Huazhong Tan authored
      [ Upstream commit f96315f2 ]
      
      When change MTU or other operations, which just calling .reset_notify
      to do HNAE3_DOWN_CLIENT and HNAE3_UP_CLIENT, then
      the netdev_tx_reset_queue() in the hns3_clear_all_ring() will be
      ignored. So the dev_watchdog() may misdiagnose a TX timeout.
      
      This patch separates netdev_tx_reset_queue() from
      hns3_clear_all_ring(), and unifies hns3_clear_all_ring() and
      hns3_force_clear_all_ring into one, since they are doing
      similar things.
      
      Fixes: 3a30964a ("net: hns3: delay ring buffer clearing during reset")
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5be48072
    • Josua Mayer's avatar
      net: mvmdio: defer probe of orion-mdio if a clock is not ready · 067471e8
      Josua Mayer authored
      [ Upstream commit 433a06d7 ]
      
      Defer probing of the orion-mdio interface when getting a clock returns
      EPROBE_DEFER. This avoids locking up the Armada 8k SoC when mdio is used
      before all clocks have been enabled.
      Signed-off-by: default avatarJosua Mayer <josua@solid-run.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      067471e8
    • Ilya Maximets's avatar
      xdp: fix race on generic receive path · fd7c22ba
      Ilya Maximets authored
      [ Upstream commit bf0bdd13 ]
      
      Unlike driver mode, generic xdp receive could be triggered
      by different threads on different CPU cores at the same time
      leading to the fill and rx queue breakage. For example, this
      could happen while sending packets from two processes to the
      first interface of veth pair while the second part of it is
      open with AF_XDP socket.
      
      Need to take a lock for each generic receive to avoid race.
      
      Fixes: c497176c ("xsk: add Rx receive functions and poll support")
      Signed-off-by: default avatarIlya Maximets <i.maximets@samsung.com>
      Acked-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Tested-by: default avatarWilliam Tu <u9012063@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fd7c22ba
    • Taehee Yoo's avatar
      gtp: fix use-after-free in gtp_newlink() · 29af1ae8
      Taehee Yoo authored
      [ Upstream commit a2bed907 ]
      
      Current gtp_newlink() could be called after unregister_pernet_subsys().
      gtp_newlink() uses gtp_net but it can be destroyed by
      unregister_pernet_subsys().
      So unregister_pernet_subsys() should be called after
      rtnl_link_unregister().
      
      Test commands:
         #SHELL 1
         while :
         do
      	   for i in {1..5}
      	   do
      		./gtp-link add gtp$i &
      	   done
      	   killall gtp-link
         done
      
         #SHELL 2
         while :
         do
      	modprobe -rv gtp
         done
      
      Splat looks like:
      [  753.176631] BUG: KASAN: use-after-free in gtp_newlink+0x9b4/0xa5c [gtp]
      [  753.177722] Read of size 8 at addr ffff8880d48f2458 by task gtp-link/7126
      [  753.179082] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G        W         5.2.0-rc6+ #50
      [  753.185801] Call Trace:
      [  753.186264]  dump_stack+0x7c/0xbb
      [  753.186863]  ? gtp_newlink+0x9b4/0xa5c [gtp]
      [  753.187583]  print_address_description+0xc7/0x240
      [  753.188382]  ? gtp_newlink+0x9b4/0xa5c [gtp]
      [  753.189097]  ? gtp_newlink+0x9b4/0xa5c [gtp]
      [  753.189846]  __kasan_report+0x12a/0x16f
      [  753.190542]  ? gtp_newlink+0x9b4/0xa5c [gtp]
      [  753.191298]  kasan_report+0xe/0x20
      [  753.191893]  gtp_newlink+0x9b4/0xa5c [gtp]
      [  753.192580]  ? __netlink_ns_capable+0xc3/0xf0
      [  753.193370]  __rtnl_newlink+0xb9f/0x11b0
      [ ... ]
      [  753.241201] Allocated by task 7186:
      [  753.241844]  save_stack+0x19/0x80
      [  753.242399]  __kasan_kmalloc.constprop.3+0xa0/0xd0
      [  753.243192]  __kmalloc+0x13e/0x300
      [  753.243764]  ops_init+0xd6/0x350
      [  753.244314]  register_pernet_operations+0x249/0x6f0
      [ ... ]
      [  753.251770] Freed by task 7178:
      [  753.252288]  save_stack+0x19/0x80
      [  753.252833]  __kasan_slab_free+0x111/0x150
      [  753.253962]  kfree+0xc7/0x280
      [  753.254509]  ops_free_list.part.11+0x1c4/0x2d0
      [  753.255241]  unregister_pernet_operations+0x262/0x390
      [ ... ]
      [  753.285883] list_add corruption. next->prev should be prev (ffff8880d48f2458), but was ffff8880d497d878. (next.
      [  753.287241] ------------[ cut here ]------------
      [  753.287794] kernel BUG at lib/list_debug.c:25!
      [  753.288364] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  753.289099] CPU: 0 PID: 7126 Comm: gtp-link Tainted: G    B   W         5.2.0-rc6+ #50
      [  753.291036] RIP: 0010:__list_add_valid+0x74/0xd0
      [  753.291589] Code: 48 39 da 75 27 48 39 f5 74 36 48 39 dd 74 31 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 d9 48b
      [  753.293779] RSP: 0018:ffff8880cae8f398 EFLAGS: 00010286
      [  753.294401] RAX: 0000000000000075 RBX: ffff8880d497d878 RCX: 0000000000000000
      [  753.296260] RDX: 0000000000000075 RSI: 0000000000000008 RDI: ffffed10195d1e69
      [  753.297070] RBP: ffff8880cd250ae0 R08: ffffed101b4bff21 R09: ffffed101b4bff21
      [  753.297899] R10: 0000000000000001 R11: ffffed101b4bff20 R12: ffff8880d497d878
      [  753.298703] R13: 0000000000000000 R14: ffff8880cd250ae0 R15: ffff8880d48f2458
      [  753.299564] FS:  00007f5f79805740(0000) GS:ffff8880da400000(0000) knlGS:0000000000000000
      [  753.300533] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  753.301231] CR2: 00007fe8c7ef4f10 CR3: 00000000b71a6006 CR4: 00000000000606f0
      [  753.302183] Call Trace:
      [  753.302530]  gtp_newlink+0x5f6/0xa5c [gtp]
      [  753.303037]  ? __netlink_ns_capable+0xc3/0xf0
      [  753.303576]  __rtnl_newlink+0xb9f/0x11b0
      [  753.304092]  ? rtnl_link_unregister+0x230/0x230
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      29af1ae8
    • Taehee Yoo's avatar
      gtp: fix use-after-free in gtp_encap_destroy() · 8b9673c2
      Taehee Yoo authored
      [ Upstream commit 1788b856 ]
      
      gtp_encap_destroy() is called twice.
      1. When interface is deleted.
      2. When udp socket is destroyed.
      either gtp->sk0 or gtp->sk1u could be freed by sock_put() in
      gtp_encap_destroy(). so, when gtp_encap_destroy() is called again,
      it would uses freed sk pointer.
      
      patch makes gtp_encap_destroy() to set either gtp->sk0 or gtp->sk1u to
      null. in addition, both gtp->sk0 and gtp->sk1u pointer are protected
      by rtnl_lock. so, rtnl_lock() is added.
      
      Test command:
         gtp-link add gtp1 &
         killall gtp-link
         ip link del gtp1
      
      Splat looks like:
      [   83.182767] BUG: KASAN: use-after-free in __lock_acquire+0x3a20/0x46a0
      [   83.184128] Read of size 8 at addr ffff8880cc7d5360 by task ip/1008
      [   83.185567] CPU: 1 PID: 1008 Comm: ip Not tainted 5.2.0-rc6+ #50
      [   83.188469] Call Trace:
      [ ... ]
      [   83.200126]  lock_acquire+0x141/0x380
      [   83.200575]  ? lock_sock_nested+0x3a/0xf0
      [   83.201069]  _raw_spin_lock_bh+0x38/0x70
      [   83.201551]  ? lock_sock_nested+0x3a/0xf0
      [   83.202044]  lock_sock_nested+0x3a/0xf0
      [   83.202520]  gtp_encap_destroy+0x18/0xe0 [gtp]
      [   83.203065]  gtp_encap_disable.isra.14+0x13/0x50 [gtp]
      [   83.203687]  gtp_dellink+0x56/0x170 [gtp]
      [   83.204190]  rtnl_delete_link+0xb4/0x100
      [ ... ]
      [   83.236513] Allocated by task 976:
      [   83.236925]  save_stack+0x19/0x80
      [   83.237332]  __kasan_kmalloc.constprop.3+0xa0/0xd0
      [   83.237894]  kmem_cache_alloc+0xd8/0x280
      [   83.238360]  sk_prot_alloc.isra.42+0x50/0x200
      [   83.238874]  sk_alloc+0x32/0x940
      [   83.239264]  inet_create+0x283/0xc20
      [   83.239684]  __sock_create+0x2dd/0x540
      [   83.240136]  __sys_socket+0xca/0x1a0
      [   83.240550]  __x64_sys_socket+0x6f/0xb0
      [   83.240998]  do_syscall_64+0x9c/0x450
      [   83.241466]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [   83.242061]
      [   83.242249] Freed by task 0:
      [   83.242616]  save_stack+0x19/0x80
      [   83.243013]  __kasan_slab_free+0x111/0x150
      [   83.243498]  kmem_cache_free+0x89/0x250
      [   83.244444]  __sk_destruct+0x38f/0x5a0
      [   83.245366]  rcu_core+0x7e9/0x1c20
      [   83.245766]  __do_softirq+0x213/0x8fa
      
      Fixes: 1e3a3abd ("gtp: make GTP sockets in gtp_newlink optional")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8b9673c2
    • Taehee Yoo's avatar
      gtp: fix Illegal context switch in RCU read-side critical section. · 1ba3bba8
      Taehee Yoo authored
      [ Upstream commit 3f167e19 ]
      
      ipv4_pdp_add() is called in RCU read-side critical section.
      So GFP_KERNEL should not be used in the function.
      This patch make ipv4_pdp_add() to use GFP_ATOMIC instead of GFP_KERNEL.
      
      Test commands:
      gtp-link add gtp1 &
      gtp-tunnel add gtp1 v1 100 200 1.1.1.1 2.2.2.2
      
      Splat looks like:
      [  130.618881] =============================
      [  130.626382] WARNING: suspicious RCU usage
      [  130.626994] 5.2.0-rc6+ #50 Not tainted
      [  130.627622] -----------------------------
      [  130.628223] ./include/linux/rcupdate.h:266 Illegal context switch in RCU read-side critical section!
      [  130.629684]
      [  130.629684] other info that might help us debug this:
      [  130.629684]
      [  130.631022]
      [  130.631022] rcu_scheduler_active = 2, debug_locks = 1
      [  130.632136] 4 locks held by gtp-tunnel/1025:
      [  130.632925]  #0: 000000002b93c8b7 (cb_lock){++++}, at: genl_rcv+0x15/0x40
      [  130.634159]  #1: 00000000f17bc999 (genl_mutex){+.+.}, at: genl_rcv_msg+0xfb/0x130
      [  130.635487]  #2: 00000000c644ed8e (rtnl_mutex){+.+.}, at: gtp_genl_new_pdp+0x18c/0x1150 [gtp]
      [  130.636936]  #3: 0000000007a1cde7 (rcu_read_lock){....}, at: gtp_genl_new_pdp+0x187/0x1150 [gtp]
      [  130.638348]
      [  130.638348] stack backtrace:
      [  130.639062] CPU: 1 PID: 1025 Comm: gtp-tunnel Not tainted 5.2.0-rc6+ #50
      [  130.641318] Call Trace:
      [  130.641707]  dump_stack+0x7c/0xbb
      [  130.642252]  ___might_sleep+0x2c0/0x3b0
      [  130.642862]  kmem_cache_alloc_trace+0x1cd/0x2b0
      [  130.643591]  gtp_genl_new_pdp+0x6c5/0x1150 [gtp]
      [  130.644371]  genl_family_rcv_msg+0x63a/0x1030
      [  130.645074]  ? mutex_lock_io_nested+0x1090/0x1090
      [  130.645845]  ? genl_unregister_family+0x630/0x630
      [  130.646592]  ? debug_show_all_locks+0x2d0/0x2d0
      [  130.647293]  ? check_flags.part.40+0x440/0x440
      [  130.648099]  genl_rcv_msg+0xa3/0x130
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1ba3bba8
    • Taehee Yoo's avatar
      gtp: fix suspicious RCU usage · bf75202d
      Taehee Yoo authored
      [ Upstream commit e198987e ]
      
      gtp_encap_enable_socket() and gtp_encap_destroy() are not protected
      by rcu_read_lock(). and it's not safe to write sk->sk_user_data.
      This patch make these functions to use lock_sock() instead of
      rcu_dereference_sk_user_data().
      
      Test commands:
          gtp-link add gtp1
      
      Splat looks like:
      [   83.238315] =============================
      [   83.239127] WARNING: suspicious RCU usage
      [   83.239702] 5.2.0-rc6+ #49 Not tainted
      [   83.240268] -----------------------------
      [   83.241205] drivers/net/gtp.c:799 suspicious rcu_dereference_check() usage!
      [   83.243828]
      [   83.243828] other info that might help us debug this:
      [   83.243828]
      [   83.246325]
      [   83.246325] rcu_scheduler_active = 2, debug_locks = 1
      [   83.247314] 1 lock held by gtp-link/1008:
      [   83.248523]  #0: 0000000017772c7f (rtnl_mutex){+.+.}, at: __rtnl_newlink+0x5f5/0x11b0
      [   83.251503]
      [   83.251503] stack backtrace:
      [   83.252173] CPU: 0 PID: 1008 Comm: gtp-link Not tainted 5.2.0-rc6+ #49
      [   83.253271] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   83.254562] Call Trace:
      [   83.254995]  dump_stack+0x7c/0xbb
      [   83.255567]  gtp_encap_enable_socket+0x2df/0x360 [gtp]
      [   83.256415]  ? gtp_find_dev+0x1a0/0x1a0 [gtp]
      [   83.257161]  ? memset+0x1f/0x40
      [   83.257843]  gtp_newlink+0x90/0xa21 [gtp]
      [   83.258497]  ? __netlink_ns_capable+0xc3/0xf0
      [   83.259260]  __rtnl_newlink+0xb9f/0x11b0
      [   83.260022]  ? rtnl_link_unregister+0x230/0x230
      [ ... ]
      
      Fixes: 1e3a3abd ("gtp: make GTP sockets in gtp_newlink optional")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bf75202d
    • csonsino's avatar
      Bluetooth: validate BLE connection interval updates · 572af11e
      csonsino authored
      [ Upstream commit c49a8682 ]
      
      Problem: The Linux Bluetooth stack yields complete control over the BLE
      connection interval to the remote device.
      
      The Linux Bluetooth stack provides access to the BLE connection interval
      min and max values through /sys/kernel/debug/bluetooth/hci0/
      conn_min_interval and /sys/kernel/debug/bluetooth/hci0/conn_max_interval.
      These values are used for initial BLE connections, but the remote device
      has the ability to request a connection parameter update. In the event
      that the remote side requests to change the connection interval, the Linux
      kernel currently only validates that the desired value is within the
      acceptable range in the Bluetooth specification (6 - 3200, corresponding to
      7.5ms - 4000ms). There is currently no validation that the desired value
      requested by the remote device is within the min/max limits specified in
      the conn_min_interval/conn_max_interval configurations. This essentially
      leads to Linux yielding complete control over the connection interval to
      the remote device.
      
      The proposed patch adds a verification step to the connection parameter
      update mechanism, ensuring that the desired value is within the min/max
      bounds of the current connection. If the desired value is outside of the
      current connection min/max values, then the connection parameter update
      request is rejected and the negative response is returned to the remote
      device. Recall that the initial connection is established using the local
      conn_min_interval/conn_max_interval values, so this allows the Linux
      administrator to retain control over the BLE connection interval.
      
      The one downside that I see is that the current default Linux values for
      conn_min_interval and conn_max_interval typically correspond to 30ms and
      50ms respectively. If this change were accepted, then it is feasible that
      some devices would no longer be able to negotiate to their desired
      connection interval values. This might be remedied by setting the default
      Linux conn_min_interval and conn_max_interval values to the widest
      supported range (6 - 3200 / 7.5ms - 4000ms). This could lead to the same
      behavior as the current implementation, where the remote device could
      request to change the connection interval value to any value that is
      permitted by the Bluetooth specification, and Linux would accept the
      desired value.
      Signed-off-by: default avatarCarey Sonsino <csonsino@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      572af11e
    • Taehee Yoo's avatar
      gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable() · 83e8d4c8
      Taehee Yoo authored
      [ Upstream commit e30155fd ]
      
      If an invalid role is sent from user space, gtp_encap_enable() will fail.
      Then, it should call gtp_encap_disable_sock() but current code doesn't.
      It makes memory leak.
      
      Fixes: 91ed81f9 ("gtp: support SGSN-side tunnels")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      83e8d4c8
    • Dan Carpenter's avatar
      Bluetooth: hidp: NUL terminate a string in the compat ioctl · 11f91596
      Dan Carpenter authored
      [ Upstream commit dcae9052 ]
      
      This change is similar to commit a1616a5a ("Bluetooth: hidp: fix
      buffer overflow") but for the compat ioctl.  We take a string from the
      user and forgot to ensure that it's NUL terminated.
      
      I have also changed the strncpy() in to strscpy() in hidp_setup_hid().
      The difference is the strncpy() doesn't necessarily NUL terminate the
      destination string.  Either change would fix the problem but it's nice
      to take a belt and suspenders approach and do both.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      11f91596
    • Matias Karhumaa's avatar
      Bluetooth: Check state in l2cap_disconnect_rsp · 9e8d3c92
      Matias Karhumaa authored
      [ Upstream commit 28261da8 ]
      
      Because of both sides doing L2CAP disconnection at the same time, it
      was possible to receive L2CAP Disconnection Response with CID that was
      already freed. That caused problems if CID was already reused and L2CAP
      Connection Request with same CID was sent out. Before this patch kernel
      deleted channel context regardless of the state of the channel.
      
      Example where leftover Disconnection Response (frame #402) causes local
      device to delete L2CAP channel which was not yet connected. This in
      turn confuses remote device's stack because same CID is re-used without
      properly disconnecting.
      
      Btmon capture before patch:
      ** snip **
      > ACL Data RX: Handle 43 flags 0x02 dlen 8                #394 [hci1] 10.748949
            Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
            RFCOMM: Disconnect (DISC) (0x43)
               Address: 0x03 cr 1 dlci 0x00
               Control: 0x53 poll/final 1
               Length: 0
               FCS: 0xfd
      < ACL Data TX: Handle 43 flags 0x00 dlen 8                #395 [hci1] 10.749062
            Channel: 65 len 4 [PSM 3 mode 0] {chan 2}
            RFCOMM: Unnumbered Ack (UA) (0x63)
               Address: 0x03 cr 1 dlci 0x00
               Control: 0x73 poll/final 1
               Length: 0
               FCS: 0xd7
      < ACL Data TX: Handle 43 flags 0x00 dlen 12               #396 [hci1] 10.749073
            L2CAP: Disconnection Request (0x06) ident 17 len 4
              Destination CID: 65
              Source CID: 65
      > HCI Event: Number of Completed Packets (0x13) plen 5    #397 [hci1] 10.752391
              Num handles: 1
              Handle: 43
              Count: 1
      > HCI Event: Number of Completed Packets (0x13) plen 5    #398 [hci1] 10.753394
              Num handles: 1
              Handle: 43
              Count: 1
      > ACL Data RX: Handle 43 flags 0x02 dlen 12               #399 [hci1] 10.756499
            L2CAP: Disconnection Request (0x06) ident 26 len 4
              Destination CID: 65
              Source CID: 65
      < ACL Data TX: Handle 43 flags 0x00 dlen 12               #400 [hci1] 10.756548
            L2CAP: Disconnection Response (0x07) ident 26 len 4
              Destination CID: 65
              Source CID: 65
      < ACL Data TX: Handle 43 flags 0x00 dlen 12               #401 [hci1] 10.757459
            L2CAP: Connection Request (0x02) ident 18 len 4
              PSM: 1 (0x0001)
              Source CID: 65
      > ACL Data RX: Handle 43 flags 0x02 dlen 12               #402 [hci1] 10.759148
            L2CAP: Disconnection Response (0x07) ident 17 len 4
              Destination CID: 65
              Source CID: 65
      = bluetoothd: 00:1E:AB:4C:56:54: error updating services: Input/o..   10.759447
      > HCI Event: Number of Completed Packets (0x13) plen 5    #403 [hci1] 10.759386
              Num handles: 1
              Handle: 43
              Count: 1
      > ACL Data RX: Handle 43 flags 0x02 dlen 12               #404 [hci1] 10.760397
            L2CAP: Connection Request (0x02) ident 27 len 4
              PSM: 3 (0x0003)
              Source CID: 65
      < ACL Data TX: Handle 43 flags 0x00 dlen 16               #405 [hci1] 10.760441
            L2CAP: Connection Response (0x03) ident 27 len 8
              Destination CID: 65
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      < ACL Data TX: Handle 43 flags 0x00 dlen 27               #406 [hci1] 10.760449
            L2CAP: Configure Request (0x04) ident 19 len 19
              Destination CID: 65
              Flags: 0x0000
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 1013
              Option: Retransmission and Flow Control (0x04) [mandatory]
                Mode: Basic (0x00)
                TX window size: 0
                Max transmit: 0
                Retransmission timeout: 0
                Monitor timeout: 0
                Maximum PDU size: 0
      > HCI Event: Number of Completed Packets (0x13) plen 5    #407 [hci1] 10.761399
              Num handles: 1
              Handle: 43
              Count: 1
      > ACL Data RX: Handle 43 flags 0x02 dlen 16               #408 [hci1] 10.762942
            L2CAP: Connection Response (0x03) ident 18 len 8
              Destination CID: 66
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      *snip*
      
      Similar case after the patch:
      *snip*
      > ACL Data RX: Handle 43 flags 0x02 dlen 8            #22702 [hci0] 1664.411056
            Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
            RFCOMM: Disconnect (DISC) (0x43)
               Address: 0x03 cr 1 dlci 0x00
               Control: 0x53 poll/final 1
               Length: 0
               FCS: 0xfd
      < ACL Data TX: Handle 43 flags 0x00 dlen 8            #22703 [hci0] 1664.411136
            Channel: 65 len 4 [PSM 3 mode 0] {chan 3}
            RFCOMM: Unnumbered Ack (UA) (0x63)
               Address: 0x03 cr 1 dlci 0x00
               Control: 0x73 poll/final 1
               Length: 0
               FCS: 0xd7
      < ACL Data TX: Handle 43 flags 0x00 dlen 12           #22704 [hci0] 1664.411143
            L2CAP: Disconnection Request (0x06) ident 11 len 4
              Destination CID: 65
              Source CID: 65
      > HCI Event: Number of Completed Pac.. (0x13) plen 5  #22705 [hci0] 1664.414009
              Num handles: 1
              Handle: 43
              Count: 1
      > HCI Event: Number of Completed Pac.. (0x13) plen 5  #22706 [hci0] 1664.415007
              Num handles: 1
              Handle: 43
              Count: 1
      > ACL Data RX: Handle 43 flags 0x02 dlen 12           #22707 [hci0] 1664.418674
            L2CAP: Disconnection Request (0x06) ident 17 len 4
              Destination CID: 65
              Source CID: 65
      < ACL Data TX: Handle 43 flags 0x00 dlen 12           #22708 [hci0] 1664.418762
            L2CAP: Disconnection Response (0x07) ident 17 len 4
              Destination CID: 65
              Source CID: 65
      < ACL Data TX: Handle 43 flags 0x00 dlen 12           #22709 [hci0] 1664.421073
            L2CAP: Connection Request (0x02) ident 12 len 4
              PSM: 1 (0x0001)
              Source CID: 65
      > ACL Data RX: Handle 43 flags 0x02 dlen 12           #22710 [hci0] 1664.421371
            L2CAP: Disconnection Response (0x07) ident 11 len 4
              Destination CID: 65
              Source CID: 65
      > HCI Event: Number of Completed Pac.. (0x13) plen 5  #22711 [hci0] 1664.424082
              Num handles: 1
              Handle: 43
              Count: 1
      > HCI Event: Number of Completed Pac.. (0x13) plen 5  #22712 [hci0] 1664.425040
              Num handles: 1
              Handle: 43
              Count: 1
      > ACL Data RX: Handle 43 flags 0x02 dlen 12           #22713 [hci0] 1664.426103
            L2CAP: Connection Request (0x02) ident 18 len 4
              PSM: 3 (0x0003)
              Source CID: 65
      < ACL Data TX: Handle 43 flags 0x00 dlen 16           #22714 [hci0] 1664.426186
            L2CAP: Connection Response (0x03) ident 18 len 8
              Destination CID: 66
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      < ACL Data TX: Handle 43 flags 0x00 dlen 27           #22715 [hci0] 1664.426196
            L2CAP: Configure Request (0x04) ident 13 len 19
              Destination CID: 65
              Flags: 0x0000
              Option: Maximum Transmission Unit (0x01) [mandatory]
                MTU: 1013
              Option: Retransmission and Flow Control (0x04) [mandatory]
                Mode: Basic (0x00)
                TX window size: 0
                Max transmit: 0
                Retransmission timeout: 0
                Monitor timeout: 0
                Maximum PDU size: 0
      > ACL Data RX: Handle 43 flags 0x02 dlen 16           #22716 [hci0] 1664.428804
            L2CAP: Connection Response (0x03) ident 12 len 8
              Destination CID: 66
              Source CID: 65
              Result: Connection successful (0x0000)
              Status: No further information available (0x0000)
      *snip*
      
      Fix is to check that channel is in state BT_DISCONN before deleting the
      channel.
      
      This bug was found while fuzzing Bluez's OBEX implementation using
      Synopsys Defensics.
      Reported-by: default avatarMatti Kamunen <matti.kamunen@synopsys.com>
      Reported-by: default avatarAri Timonen <ari.timonen@synopsys.com>
      Signed-off-by: default avatarMatias Karhumaa <matias.karhumaa@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9e8d3c92
    • Seeteena Thoufeek's avatar
      perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64 · 4b81211d
      Seeteena Thoufeek authored
      [ Upstream commit bff5a556 ]
      
      'probe libc's inet_pton & backtrace it with ping' testcase sometimes
      fails on powerpc because distro ping binary does not have symbol
      information and thus it prints "[unknown]" function name in the
      backtrace.
      
      Accept "[unknown]" as valid function name for powerpc as well.
      
       # perf test -v "probe libc's inet_pton & backtrace it with ping"
      
      Before:
      
        59: probe libc's inet_pton & backtrace it with ping       :
        --- start ---
        test child forked, pid 79695
        ping 79718 [077] 96483.787025: probe_libc:inet_pton: (7fff83a754c8)
        7fff83a754c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so)
        7fff83a2b7a0 gaih_inet.constprop.7+0x1020
        (/usr/lib64/power9/libc-2.28.so)
        7fff83a2c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so)
        1171830f4 [unknown] (/usr/bin/ping)
        FAIL: expected backtrace entry
        ".*\+0x[[:xdigit:]]+[[:space:]]\(.*/bin/ping.*\)$"
        got "1171830f4 [unknown] (/usr/bin/ping)"
        test child finished with -1
        ---- end ----
        probe libc's inet_pton & backtrace it with ping: FAILED!
      
      After:
      
        59: probe libc's inet_pton & backtrace it with ping       :
        --- start ---
        test child forked, pid 79085
        ping 79108 [045] 96400.214177: probe_libc:inet_pton: (7fffbb9654c8)
        7fffbb9654c8 __GI___inet_pton+0x8 (/usr/lib64/power9/libc-2.28.so)
        7fffbb91b7a0 gaih_inet.constprop.7+0x1020
        (/usr/lib64/power9/libc-2.28.so)
        7fffbb91c170 getaddrinfo+0x160 (/usr/lib64/power9/libc-2.28.so)
        132e830f4 [unknown] (/usr/bin/ping)
        test child finished with 0
        ---- end ----
        probe libc's inet_pton & backtrace it with ping: Ok
      Signed-off-by: default avatarSeeteena Thoufeek <s1seetee@linux.vnet.ibm.com>
      Reviewed-by: default avatarKim Phillips <kim.phillips@amd.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Hendrik Brueckner <brueckner@linux.ibm.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Michael Petlan <mpetlan@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Sandipan Das <sandipan@linux.ibm.com>
      Fixes: 16329364 ("perf tests: Fix record+probe_libc_inet_pton.sh without ping's debuginfo")
      Link: http://lkml.kernel.org/r/1561630614-3216-1-git-send-email-s1seetee@linux.vnet.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4b81211d
    • Shijith Thotton's avatar
      genirq: Update irq stats from NMI handlers · f260fc0c
      Shijith Thotton authored
      [ Upstream commit c09cb129 ]
      
      The NMI handlers handle_percpu_devid_fasteoi_nmi() and handle_fasteoi_nmi()
      do not update the interrupt counts. Due to that the NMI interrupt count
      does not show up correctly in /proc/interrupts.
      
      Add the statistics and treat the NMI handlers in the same way as per cpu
      interrupts and prevent them from updating irq_desc::tot_count as this might
      be corrupted due to concurrency.
      
      [ tglx: Massaged changelog ]
      
      Fixes: 2dcf1fbc ("genirq: Provide NMI handlers")
      Signed-off-by: default avatarShijith Thotton <sthotton@marvell.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/1562313336-11888-1-git-send-email-sthotton@marvell.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      f260fc0c
    • Josua Mayer's avatar
      Bluetooth: 6lowpan: search for destination address in all peers · 0eb79996
      Josua Mayer authored
      [ Upstream commit b188b032 ]
      
      Handle overlooked case where the target address is assigned to a peer
      and neither route nor gateway exist.
      
      For one peer, no checks are performed to see if it is meant to receive
      packets for a given address.
      
      As soon as there is a second peer however, checks are performed
      to deal with routes and gateways for handling complex setups with
      multiple hops to a target address.
      This logic assumed that no route and no gateway imply that the
      destination address can not be reached, which is false in case of a
      direct peer.
      Acked-by: default avatarJukka Rissanen <jukka.rissanen@linux.intel.com>
      Tested-by: default avatarMichael Scott <mike@foundries.io>
      Signed-off-by: default avatarJosua Mayer <josua.mayer@jm0.eu>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0eb79996
    • João Paulo Rechi Vita's avatar
      Bluetooth: Add new 13d3:3501 QCA_ROME device · 39f0228a
      João Paulo Rechi Vita authored
      [ Upstream commit 881cec4f ]
      
      Without the QCA ROME setup routine this adapter fails to establish a SCO
      connection.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#=  2 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3501 Rev=00.01
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Signed-off-by: default avatarJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      39f0228a
    • João Paulo Rechi Vita's avatar
      Bluetooth: Add new 13d3:3491 QCA_ROME device · 7302488e
      João Paulo Rechi Vita authored
      [ Upstream commit 44d34af2 ]
      
      Without the QCA ROME setup routine this adapter fails to establish a SCO
      connection.
      
      T:  Bus=01 Lev=01 Prnt=01 Port=08 Cnt=01 Dev#=  2 Spd=12  MxCh= 0
      D:  Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=13d3 ProdID=3491 Rev=00.01
      C:  #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      I:  If#=0x1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
      Signed-off-by: default avatarJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7302488e
    • Tomas Bortoli's avatar
      Bluetooth: hci_bcsp: Fix memory leak in rx_skb · a1803984
      Tomas Bortoli authored
      [ Upstream commit 4ce9146e ]
      
      Syzkaller found that it is possible to provoke a memory leak by
      never freeing rx_skb in struct bcsp_struct.
      
      Fix by freeing in bcsp_close()
      Signed-off-by: default avatarTomas Bortoli <tomasbortoli@gmail.com>
      Reported-by: syzbot+98162c885993b72f19c4@syzkaller.appspotmail.com
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a1803984
    • Jian Shen's avatar
      net: hns3: enable broadcast promisc mode when initializing VF · 67e4a729
      Jian Shen authored
      [ Upstream commit 2d5066fc ]
      
      For revision 0x20, the broadcast promisc is enabled by firmware,
      it's unnecessary to enable it when initializing VF.
      
      For revision 0x21, it's necessary to enable broadcast promisc mode
      when initializing or re-initializing VF, otherwise, it will be
      unable to send and receive promisc packets.
      
      Fixes: f01f5559 ("net: hns3: don't allow vf to enable promisc mode")
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      67e4a729
    • Jiri Olsa's avatar
      tools: bpftool: Fix json dump crash on powerpc · 72133040
      Jiri Olsa authored
      [ Upstream commit aa52bcbe ]
      
      Michael reported crash with by bpf program in json mode on powerpc:
      
        # bpftool prog -p dump jited id 14
        [{
              "name": "0xd00000000a9aa760",
              "insns": [{
                      "pc": "0x0",
                      "operation": "nop",
                      "operands": [null
                      ]
                  },{
                      "pc": "0x4",
                      "operation": "nop",
                      "operands": [null
                      ]
                  },{
                      "pc": "0x8",
                      "operation": "mflr",
        Segmentation fault (core dumped)
      
      The code is assuming char pointers in format, which is not always
      true at least for powerpc. Fixing this by dumping the whole string
      into buffer based on its format.
      
      Please note that libopcodes code does not check return values from
      fprintf callback, but as per Jakub suggestion returning -1 on allocation
      failure so we do the best effort to propagate the error.
      
      Fixes: 107f0412 ("tools: bpftool: add JSON output for `bpftool prog dump jited *` command")
      Reported-by: default avatarMichael Petlan <mpetlan@redhat.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Reviewed-by: default avatarQuentin Monnet <quentin.monnet@netronome.com>
      Reviewed-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      72133040
    • Wen Yang's avatar
      ASoC: audio-graph-card: fix use-after-free in graph_for_each_link · b2e77a92
      Wen Yang authored
      [ Upstream commit 1bcc1fd6 ]
      
      After calling of_node_put() on the codec_ep and codec_port variables,
      they are still being used, which may result in use-after-free.
      We fix this issue by calling of_node_put() after the last usage.
      
      Fixes: fce9b90c ("ASoC: audio-graph-card: cleanup DAI link loop method - step2")
      Signed-off-by: default avatarWen Yang <wen.yang99@zte.com.cn>
      Cc: Liam Girdwood <lgirdwood@gmail.com>
      Cc: Mark Brown <broonie@kernel.org>
      Cc: Jaroslav Kysela <perex@perex.cz>
      Cc: Takashi Iwai <tiwai@suse.com>
      Cc: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Cc: alsa-devel@alsa-project.org
      Cc: linux-kernel@vger.kernel.org
      Link: https://lore.kernel.org/r/1562229530-8121-1-git-send-email-wen.yang99@zte.com.cnSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b2e77a92
    • Geert Uytterhoeven's avatar
      gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants · cbd7d2d8
      Geert Uytterhoeven authored
      [ Upstream commit 3285170f ]
      
      Commit 372e722e ("gpiolib: use descriptors internally") renamed
      the functions to use a "gpiod" prefix, and commit 79a9becd
      ("gpiolib: export descriptor-based GPIO interface") introduced the "raw"
      variants, but both changes forgot to update the comments.
      
      Readd a similar reference to gpiod_set_value(), which was accidentally
      removed by commit 1e77fc82 ("gpio: Add missing open drain/source
      handling to gpiod_set_value_cansleep()").
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Link: https://lore.kernel.org/r/20190701142738.25219-1-geert+renesas@glider.beSigned-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cbd7d2d8
    • Cong Wang's avatar
      bonding: validate ip header before check IPPROTO_IGMP · 6ddf0813
      Cong Wang authored
      [ Upstream commit 9d1bc24b ]
      
      bond_xmit_roundrobin() checks for IGMP packets but it parses
      the IP header even before checking skb->protocol.
      
      We should validate the IP header with pskb_may_pull() before
      using iph->protocol.
      
      Reported-and-tested-by: syzbot+e5be16aa39ad6e755391@syzkaller.appspotmail.com
      Fixes: a2fd940f ("bonding: fix broken multicast with round-robin mode")
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6ddf0813
    • Jiri Benc's avatar
      selftests: bpf: fix inlines in test_lwt_seg6local · f9cae712
      Jiri Benc authored
      [ Upstream commit 11aca65e ]
      
      Selftests are reporting this failure in test_lwt_seg6local.sh:
      
      + ip netns exec ns2 ip -6 route add fb00::6 encap bpf in obj test_lwt_seg6local.o sec encap_srh dev veth2
      Error fetching program/map!
      Failed to parse eBPF program: Operation not permitted
      
      The problem is __attribute__((always_inline)) alone is not enough to prevent
      clang from inserting those functions in .text. In that case, .text is not
      marked as relocateable.
      
      See the output of objdump -h test_lwt_seg6local.o:
      
      Idx Name          Size      VMA               LMA               File off  Algn
        0 .text         00003530  0000000000000000  0000000000000000  00000040  2**3
                        CONTENTS, ALLOC, LOAD, READONLY, CODE
      
      This causes the iproute bpf loader to fail in bpf_fetch_prog_sec:
      bpf_has_call_data returns true but bpf_fetch_prog_relo fails as there's no
      relocateable .text section in the file.
      
      To fix this, convert to 'static __always_inline'.
      
      v2: Use 'static __always_inline' instead of 'static inline
          __attribute__((always_inline))'
      
      Fixes: c99a84ea ("selftests/bpf: test for seg6local End.BPF action")
      Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f9cae712
    • Leo Yan's avatar
      bpf, libbpf, smatch: Fix potential NULL pointer dereference · b8bf2e82
      Leo Yan authored
      [ Upstream commit 33bae185 ]
      
      Based on the following report from Smatch, fix the potential NULL
      pointer dereference check:
      
        tools/lib/bpf/libbpf.c:3493
        bpf_prog_load_xattr() warn: variable dereferenced before check 'attr'
        (see line 3483)
      
        3479 int bpf_prog_load_xattr(const struct bpf_prog_load_attr *attr,
        3480                         struct bpf_object **pobj, int *prog_fd)
        3481 {
        3482         struct bpf_object_open_attr open_attr = {
        3483                 .file           = attr->file,
        3484                 .prog_type      = attr->prog_type,
                                               ^^^^^^
        3485         };
      
      At the head of function, it directly access 'attr' without checking
      if it's NULL pointer. This patch moves the values assignment after
      validating 'attr' and 'attr->file'.
      Signed-off-by: default avatarLeo Yan <leo.yan@linaro.org>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b8bf2e82
    • Andrii Nakryiko's avatar
      libbpf: fix GCC8 warning for strncpy · 925df798
      Andrii Nakryiko authored
      [ Upstream commit cdfc7f88 ]
      
      GCC8 started emitting warning about using strncpy with number of bytes
      exactly equal destination size, which is generally unsafe, as can lead
      to non-zero terminated string being copied. Use IFNAMSIZ - 1 as number
      of bytes to ensure name is always zero-terminated.
      Signed-off-by: default avatarAndrii Nakryiko <andriin@fb.com>
      Cc: Magnus Karlsson <magnus.karlsson@intel.com>
      Acked-by: default avatarYonghong Song <yhs@fb.com>
      Acked-by: default avatarMagnus Karlsson <magnus.karlsson@intel.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      925df798
    • David Howells's avatar
      rxrpc: Fix oops in tracepoint · 8cf52280
      David Howells authored
      [ Upstream commit 99f0eae6 ]
      
      If the rxrpc_eproto tracepoint is enabled, an oops will be cause by the
      trace line that rxrpc_extract_header() tries to emit when a protocol error
      occurs (typically because the packet is short) because the call argument is
      NULL.
      
      Fix this by using ?: to assume 0 as the debug_id if call is NULL.
      
      This can then be induced by:
      
      	echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only <addr> 20001
      
      where addr has the following program running on it:
      
      	#include <stdio.h>
      	#include <stdlib.h>
      	#include <string.h>
      	#include <unistd.h>
      	#include <sys/socket.h>
      	#include <arpa/inet.h>
      	#include <linux/rxrpc.h>
      	int main(void)
      	{
      		struct sockaddr_rxrpc srx;
      		int fd;
      		memset(&srx, 0, sizeof(srx));
      		srx.srx_family			= AF_RXRPC;
      		srx.srx_service			= 0;
      		srx.transport_type		= AF_INET;
      		srx.transport_len		= sizeof(srx.transport.sin);
      		srx.transport.sin.sin_family	= AF_INET;
      		srx.transport.sin.sin_port	= htons(0x4e21);
      		fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6);
      		bind(fd, (struct sockaddr *)&srx, sizeof(srx));
      		sleep(20);
      		return 0;
      	}
      
      It results in the following oops.
      
      	BUG: kernel NULL pointer dereference, address: 0000000000000340
      	#PF: supervisor read access in kernel mode
      	#PF: error_code(0x0000) - not-present page
      	...
      	RIP: 0010:trace_event_raw_event_rxrpc_rx_eproto+0x47/0xac
      	...
      	Call Trace:
      	 <IRQ>
      	 rxrpc_extract_header+0x86/0x171
      	 ? rcu_read_lock_sched_held+0x5d/0x63
      	 ? rxrpc_new_skb+0xd4/0x109
      	 rxrpc_input_packet+0xef/0x14fc
      	 ? rxrpc_input_data+0x986/0x986
      	 udp_queue_rcv_one_skb+0xbf/0x3d0
      	 udp_unicast_rcv_skb.isra.8+0x64/0x71
      	 ip_protocol_deliver_rcu+0xe4/0x1b4
      	 ip_local_deliver+0xf0/0x154
      	 __netif_receive_skb_one_core+0x50/0x6c
      	 netif_receive_skb_internal+0x26b/0x2e9
      	 napi_gro_receive+0xf8/0x1da
      	 rtl8169_poll+0x303/0x4c4
      	 net_rx_action+0x10e/0x333
      	 __do_softirq+0x1a5/0x38f
      	 irq_exit+0x54/0xc4
      	 do_IRQ+0xda/0xf8
      	 common_interrupt+0xf/0xf
      	 </IRQ>
      	 ...
      	 ? cpuidle_enter_state+0x23c/0x34d
      	 cpuidle_enter+0x2a/0x36
      	 do_idle+0x163/0x1ea
      	 cpu_startup_entry+0x1d/0x1f
      	 start_secondary+0x157/0x172
      	 secondary_startup_64+0xa4/0xb0
      
      Fixes: a25e21f0 ("rxrpc, afs: Use debug_ids rather than pointers in traces")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8cf52280