1. 11 Feb, 2020 40 commits
    • Hans de Goede's avatar
      ALSA: hda: Add Clevo W65_67SB the power_save blacklist · 3c051725
      Hans de Goede authored
      commit d8feb608 upstream.
      
      Using HDA power-saving on the Clevo W65_67SB causes the first 0.5
      seconds of audio to be missing every time audio starts playing.
      
      This commit adds the Clevo W65_67SB the power_save blacklist to avoid
      this issue.
      
      Cc: stable@vger.kernel.org
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Link: https://lore.kernel.org/r/20200125181021.70446-1-hdegoede@redhat.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3c051725
    • Mika Westerberg's avatar
      platform/x86: intel_scu_ipc: Fix interrupt support · 17612b3c
      Mika Westerberg authored
      commit e48b72a5 upstream.
      
      Currently the driver has disabled interrupt support for Tangier but
      actually interrupt works just fine if the command is not written twice
      in a row. Also we need to ack the interrupt in the handler.
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17612b3c
    • Kevin Hao's avatar
      irqdomain: Fix a memory leak in irq_domain_push_irq() · 4f7d834c
      Kevin Hao authored
      commit 0f394dae upstream.
      
      Fix a memory leak reported by kmemleak:
      unreferenced object 0xffff000bc6f50e80 (size 128):
        comm "kworker/23:2", pid 201, jiffies 4294894947 (age 942.132s)
        hex dump (first 32 bytes):
          00 00 00 00 41 00 00 00 86 c0 03 00 00 00 00 00  ....A...........
          00 a0 b2 c6 0b 00 ff ff 40 51 fd 10 00 80 ff ff  ........@Q......
        backtrace:
          [<00000000e62d2240>] kmem_cache_alloc_trace+0x1a4/0x320
          [<00000000279143c9>] irq_domain_push_irq+0x7c/0x188
          [<00000000d9f4c154>] thunderx_gpio_probe+0x3ac/0x438
          [<00000000fd09ec22>] pci_device_probe+0xe4/0x198
          [<00000000d43eca75>] really_probe+0xdc/0x320
          [<00000000d3ebab09>] driver_probe_device+0x5c/0xf0
          [<000000005b3ecaa0>] __device_attach_driver+0x88/0xc0
          [<000000004e5915f5>] bus_for_each_drv+0x7c/0xc8
          [<0000000079d4db41>] __device_attach+0xe4/0x140
          [<00000000883bbda9>] device_initial_probe+0x18/0x20
          [<000000003be59ef6>] bus_probe_device+0x98/0xa0
          [<0000000039b03d3f>] deferred_probe_work_func+0x74/0xa8
          [<00000000870934ce>] process_one_work+0x1c8/0x470
          [<00000000e3cce570>] worker_thread+0x1f8/0x428
          [<000000005d64975e>] kthread+0xfc/0x128
          [<00000000f0eaa764>] ret_from_fork+0x10/0x18
      
      Fixes: 495c38d3 ("irqdomain: Add irq_domain_{push,pop}_irq() functions")
      Signed-off-by: default avatarKevin Hao <haokexin@gmail.com>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20200120043547.22271-1-haokexin@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f7d834c
    • Gustavo A. R. Silva's avatar
      lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() · 359cc3bc
      Gustavo A. R. Silva authored
      commit 3e21d9a5 upstream.
      
      In case memory resources for _ptr2_ were allocated, release them before
      return.
      
      Notice that in case _ptr1_ happens to be NULL, krealloc() behaves
      exactly like kmalloc().
      
      Addresses-Coverity-ID: 1490594 ("Resource leak")
      Link: http://lkml.kernel.org/r/20200123160115.GA4202@embeddedor
      Fixes: 3f15801c ("lib: add kasan test module")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Reviewed-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      359cc3bc
    • Helen Koike's avatar
      media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments · a81cdcdf
      Helen Koike authored
      commit f51e50db upstream.
      
      boundary->width and boundary->height are sizes relative to
      boundary->left and boundary->top coordinates, but they were not being
      taken into consideration to adjust r->left and r->top, leading to the
      following error:
      
      Consider the follow as initial values for boundary and r:
      
      struct v4l2_rect boundary = {
      	.left = 100,
      	.top = 100,
      	.width = 800,
      	.height = 600,
      }
      
      struct v4l2_rect r = {
      	.left = 0,
      	.top = 0,
      	.width = 1920,
      	.height = 960,
      }
      
      calling v4l2_rect_map_inside(&r, &boundary) was modifying r to:
      
      r = {
      	.left = 0,
      	.top = 0,
      	.width = 800,
      	.height = 600,
      }
      
      Which is wrongly outside the boundary rectangle, because:
      
      	v4l2_rect_set_max_size(r, boundary); // r->width = 800, r->height = 600
      	...
      	if (r->left + r->width > boundary->width) // true
      		r->left = boundary->width - r->width; // r->left = 800 - 800
      	if (r->top + r->height > boundary->height) // true
      		r->top = boundary->height - r->height; // r->height = 600 - 600
      
      Fix this by considering top/left coordinates from boundary.
      
      Fixes: ac49de8c ("[media] v4l2-rect.h: new header with struct v4l2_rect helper functions")
      Signed-off-by: default avatarHelen Koike <helen.koike@collabora.com>
      Cc: <stable@vger.kernel.org>      # for v4.7 and up
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a81cdcdf
    • Arnd Bergmann's avatar
      media: v4l2-core: compat: ignore native command codes · 2ea36671
      Arnd Bergmann authored
      commit 4a873f3f upstream.
      
      The do_video_ioctl() compat handler converts the compat command
      codes into the native ones before processing further, but this
      causes problems for 32-bit user applications that pass a command
      code that matches a 64-bit native number, which will then be
      handled the same way.
      
      Specifically, this breaks VIDIOC_DQEVENT_TIME from user space
      applications with 64-bit time_t, as the structure layout is
      the same as the native 64-bit layout on many architectures
      (x86 being the notable exception).
      
      Change the handler to use the converted command code only for
      passing into the native ioctl handler, not for deciding on the
      conversion, in order to make the compat behavior match the
      native behavior.
      
      Actual support for the 64-bit time_t version of VIDIOC_DQEVENT_TIME
      and other commands still needs to be added in a separate patch.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ea36671
    • John Hubbard's avatar
      media/v4l2-core: set pages dirty upon releasing DMA buffers · 166d8306
      John Hubbard authored
      commit 3c7470b6 upstream.
      
      After DMA is complete, and the device and CPU caches are synchronized,
      it's still required to mark the CPU pages as dirty, if the data was
      coming from the device.  However, this driver was just issuing a bare
      put_page() call, without any set_page_dirty*() call.
      
      Fix the problem, by calling set_page_dirty_lock() if the CPU pages were
      potentially receiving data from the device.
      
      Link: http://lkml.kernel.org/r/20200107224558.2362728-11-jhubbard@nvidia.comSigned-off-by: default avatarJohn Hubbard <jhubbard@nvidia.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Acked-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
      Cc: <stable@vger.kernel.org>
      Cc: Alex Williamson <alex.williamson@redhat.com>
      Cc: Aneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Cc: Björn Töpel <bjorn.topel@intel.com>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Jason Gunthorpe <jgg@mellanox.com>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Jerome Glisse <jglisse@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Cc: Leon Romanovsky <leonro@mellanox.com>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      166d8306
    • Yang Shi's avatar
      mm: move_pages: report the number of non-attempted pages · 0730292c
      Yang Shi authored
      commit 5984fabb upstream.
      
      Since commit a49bd4d7 ("mm, numa: rework do_pages_move"), the
      semantic of move_pages() has changed to return the number of
      non-migrated pages if they were result of a non-fatal reasons (usually a
      busy page).
      
      This was an unintentional change that hasn't been noticed except for LTP
      tests which checked for the documented behavior.
      
      There are two ways to go around this change.  We can even get back to
      the original behavior and return -EAGAIN whenever migrate_pages is not
      able to migrate pages due to non-fatal reasons.  Another option would be
      to simply continue with the changed semantic and extend move_pages
      documentation to clarify that -errno is returned on an invalid input or
      when migration simply cannot succeed (e.g.  -ENOMEM, -EBUSY) or the
      number of pages that couldn't have been migrated due to ephemeral
      reasons (e.g.  page is pinned or locked for other reasons).
      
      This patch implements the second option because this behavior is in
      place for some time without anybody complaining and possibly new users
      depending on it.  Also it allows to have a slightly easier error
      handling as the caller knows that it is worth to retry when err > 0.
      
      But since the new semantic would be aborted immediately if migration is
      failed due to ephemeral reasons, need include the number of
      non-attempted pages in the return value too.
      
      Link: http://lkml.kernel.org/r/1580160527-109104-1-git-send-email-yang.shi@linux.alibaba.com
      Fixes: a49bd4d7 ("mm, numa: rework do_pages_move")
      Signed-off-by: default avatarYang Shi <yang.shi@linux.alibaba.com>
      Suggested-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Reviewed-by: default avatarWei Yang <richardw.yang@linux.intel.com>
      Cc: <stable@vger.kernel.org>    [4.17+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0730292c
    • Dan Williams's avatar
      mm/memory_hotplug: fix remove_memory() lockdep splat · 9a6873a9
      Dan Williams authored
      commit f1037ec0 upstream.
      
      The daxctl unit test for the dax_kmem driver currently triggers the
      (false positive) lockdep splat below.  It results from the fact that
      remove_memory_block_devices() is invoked under the mem_hotplug_lock()
      causing lockdep entanglements with cpu_hotplug_lock() and sysfs (kernfs
      active state tracking).  It is a false positive because the sysfs
      attribute path triggering the memory remove is not the same attribute
      path associated with memory-block device.
      
      sysfs_break_active_protection() is not applicable since there is no real
      deadlock conflict, instead move memory-block device removal outside the
      lock.  The mem_hotplug_lock() is not needed to synchronize the
      memory-block device removal vs the page online state, that is already
      handled by lock_device_hotplug().  Specifically, lock_device_hotplug()
      is sufficient to allow try_remove_memory() to check the offline state of
      the memblocks and be assured that any in progress online attempts are
      flushed / blocked by kernfs_drain() / attribute removal.
      
      The add_memory() path safely creates memblock devices under the
      mem_hotplug_lock().  There is no kernfs active state synchronization in
      the memblock device_register() path, so nothing to fix there.
      
      This change is only possible thanks to the recent change that refactored
      memory block device removal out of arch_remove_memory() (commit
      4c4b7f9b "mm/memory_hotplug: remove memory block devices before
      arch_remove_memory()"), and David's due diligence tracking down the
      guarantees afforded by kernfs_drain().  Not flagged for -stable since
      this only impacts ongoing development and lockdep validation, not a
      runtime issue.
      
          ======================================================
          WARNING: possible circular locking dependency detected
          5.5.0-rc3+ #230 Tainted: G           OE
          ------------------------------------------------------
          lt-daxctl/6459 is trying to acquire lock:
          ffff99c7f0003510 (kn->count#241){++++}, at: kernfs_remove_by_name_ns+0x41/0x80
      
          but task is already holding lock:
          ffffffffa76a5450 (mem_hotplug_lock.rw_sem){++++}, at: percpu_down_write+0x20/0xe0
      
          which lock already depends on the new lock.
      
          the existing dependency chain (in reverse order) is:
      
          -> #2 (mem_hotplug_lock.rw_sem){++++}:
                 __lock_acquire+0x39c/0x790
                 lock_acquire+0xa2/0x1b0
                 get_online_mems+0x3e/0xb0
                 kmem_cache_create_usercopy+0x2e/0x260
                 kmem_cache_create+0x12/0x20
                 ptlock_cache_init+0x20/0x28
                 start_kernel+0x243/0x547
                 secondary_startup_64+0xb6/0xc0
      
          -> #1 (cpu_hotplug_lock.rw_sem){++++}:
                 __lock_acquire+0x39c/0x790
                 lock_acquire+0xa2/0x1b0
                 cpus_read_lock+0x3e/0xb0
                 online_pages+0x37/0x300
                 memory_subsys_online+0x17d/0x1c0
                 device_online+0x60/0x80
                 state_store+0x65/0xd0
                 kernfs_fop_write+0xcf/0x1c0
                 vfs_write+0xdb/0x1d0
                 ksys_write+0x65/0xe0
                 do_syscall_64+0x5c/0xa0
                 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
          -> #0 (kn->count#241){++++}:
                 check_prev_add+0x98/0xa40
                 validate_chain+0x576/0x860
                 __lock_acquire+0x39c/0x790
                 lock_acquire+0xa2/0x1b0
                 __kernfs_remove+0x25f/0x2e0
                 kernfs_remove_by_name_ns+0x41/0x80
                 remove_files.isra.0+0x30/0x70
                 sysfs_remove_group+0x3d/0x80
                 sysfs_remove_groups+0x29/0x40
                 device_remove_attrs+0x39/0x70
                 device_del+0x16a/0x3f0
                 device_unregister+0x16/0x60
                 remove_memory_block_devices+0x82/0xb0
                 try_remove_memory+0xb5/0x130
                 remove_memory+0x26/0x40
                 dev_dax_kmem_remove+0x44/0x6a [kmem]
                 device_release_driver_internal+0xe4/0x1c0
                 unbind_store+0xef/0x120
                 kernfs_fop_write+0xcf/0x1c0
                 vfs_write+0xdb/0x1d0
                 ksys_write+0x65/0xe0
                 do_syscall_64+0x5c/0xa0
                 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
          other info that might help us debug this:
      
          Chain exists of:
            kn->count#241 --> cpu_hotplug_lock.rw_sem --> mem_hotplug_lock.rw_sem
      
           Possible unsafe locking scenario:
      
                 CPU0                    CPU1
                 ----                    ----
            lock(mem_hotplug_lock.rw_sem);
                                         lock(cpu_hotplug_lock.rw_sem);
                                         lock(mem_hotplug_lock.rw_sem);
            lock(kn->count#241);
      
           *** DEADLOCK ***
      
      No fixes tag as this has been a long standing issue that predated the
      addition of kernfs lockdep annotations.
      
      Link: http://lkml.kernel.org/r/157991441887.2763922.4770790047389427325.stgit@dwillia2-desk3.amr.corp.intel.comSigned-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Cc: Vishal Verma <vishal.l.verma@intel.com>
      Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a6873a9
    • Takashi Iwai's avatar
      ALSA: dummy: Fix PCM format loop in proc output · 23efa4f9
      Takashi Iwai authored
      commit 2acf25f1 upstream.
      
      The loop termination for iterating over all formats should contain
      SNDRV_PCM_FORMAT_LAST, not less than it.
      
      Fixes: 9b151fec ("ALSA: dummy - Add debug proc file")
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200201080530.22390-3-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      23efa4f9
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix endianess in descriptor validation · a46ebc21
      Takashi Iwai authored
      commit f8e5f90b upstream.
      
      I overlooked that some fields are words and need the converts from
      LE in the recently added USB descriptor validation code.
      This patch fixes those with the proper macro usages.
      
      Fixes: 57f87706 ("ALSA: usb-audio: More validations of descriptor units")
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200201080530.22390-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a46ebc21
    • Bryan O'Donoghue's avatar
      usb: gadget: f_ecm: Use atomic_t to track in-flight request · e3ed79d1
      Bryan O'Donoghue authored
      commit d710562e upstream.
      
      Currently ecm->notify_req is used to flag when a request is in-flight.
      ecm->notify_req is set to NULL and when a request completes it is
      subsequently reset.
      
      This is fundamentally buggy in that the unbind logic of the ECM driver will
      unconditionally free ecm->notify_req leading to a NULL pointer dereference.
      
      Fixes: da741b8c ("usb ethernet gadget: split CDC Ethernet function")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3ed79d1
    • Bryan O'Donoghue's avatar
      usb: gadget: f_ncm: Use atomic_t to track in-flight request · d1e5dcaf
      Bryan O'Donoghue authored
      commit 5b24c28c upstream.
      
      Currently ncm->notify_req is used to flag when a request is in-flight.
      ncm->notify_req is set to NULL and when a request completes it is
      subsequently reset.
      
      This is fundamentally buggy in that the unbind logic of the NCM driver will
      unconditionally free ncm->notify_req leading to a NULL pointer dereference.
      
      Fixes: 40d133d7 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1e5dcaf
    • Roger Quadros's avatar
      usb: gadget: legacy: set max_speed to super-speed · 0c26dfaf
      Roger Quadros authored
      commit 463f67ae upstream.
      
      These interfaces do support super-speed so let's not
      limit maximum speed to high-speed.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0c26dfaf
    • Jun Li's avatar
      usb: typec: tcpci: mask event interrupts when remove driver · 1ee531e8
      Jun Li authored
      commit 3ba76256 upstream.
      
      This is to prevent any possible events generated while unregister
      tpcm port.
      
      Fixes: 74e656d6 ("staging: typec: Type-C Port Controller Interface driver (tcpci)")
      Signed-off-by: default avatarLi Jun <jun.li@nxp.com>
      Reviewed-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Link: https://lore.kernel.org/r/1579502333-4145-1-git-send-email-jun.li@nxp.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ee531e8
    • Navid Emamdoost's avatar
      brcmfmac: Fix memory leak in brcmf_usbdev_qinit · 0eb1a435
      Navid Emamdoost authored
      commit 4282dc05 upstream.
      
      In the implementation of brcmf_usbdev_qinit() the allocated memory for
      reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
      handling path.
      
      Fixes: 71bb244b ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0eb1a435
    • Eric Dumazet's avatar
      rcu: Avoid data-race in rcu_gp_fqs_check_wake() · 00b13445
      Eric Dumazet authored
      commit 6935c398 upstream.
      
      The rcu_gp_fqs_check_wake() function uses rcu_preempt_blocked_readers_cgp()
      to read ->gp_tasks while other cpus might overwrite this field.
      
      We need READ_ONCE()/WRITE_ONCE() pairs to avoid compiler
      tricks and KCSAN splats like the following :
      
      BUG: KCSAN: data-race in rcu_gp_fqs_check_wake / rcu_preempt_deferred_qs_irqrestore
      
      write to 0xffffffff85a7f190 of 8 bytes by task 7317 on cpu 0:
       rcu_preempt_deferred_qs_irqrestore+0x43d/0x580 kernel/rcu/tree_plugin.h:507
       rcu_read_unlock_special+0xec/0x370 kernel/rcu/tree_plugin.h:659
       __rcu_read_unlock+0xcf/0xe0 kernel/rcu/tree_plugin.h:394
       rcu_read_unlock include/linux/rcupdate.h:645 [inline]
       __ip_queue_xmit+0x3b0/0xa40 net/ipv4/ip_output.c:533
       ip_queue_xmit+0x45/0x60 include/net/ip.h:236
       __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158
       __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685
       tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691
       tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575
       tcp_recvmsg+0x633/0x1a30 net/ipv4/tcp.c:2179
       inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
       sock_recvmsg_nosec net/socket.c:871 [inline]
       sock_recvmsg net/socket.c:889 [inline]
       sock_recvmsg+0x92/0xb0 net/socket.c:885
       sock_read_iter+0x15f/0x1e0 net/socket.c:967
       call_read_iter include/linux/fs.h:1864 [inline]
       new_sync_read+0x389/0x4f0 fs/read_write.c:414
      
      read to 0xffffffff85a7f190 of 8 bytes by task 10 on cpu 1:
       rcu_gp_fqs_check_wake kernel/rcu/tree.c:1556 [inline]
       rcu_gp_fqs_check_wake+0x93/0xd0 kernel/rcu/tree.c:1546
       rcu_gp_fqs_loop+0x36c/0x580 kernel/rcu/tree.c:1611
       rcu_gp_kthread+0x143/0x220 kernel/rcu/tree.c:1768
       kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 10 Comm: rcu_preempt Not tainted 5.3.0+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      [ paulmck:  Added another READ_ONCE() for RCU CPU stall warnings. ]
      Signed-off-by: default avatarPaul E. McKenney <paulmck@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00b13445
    • Mathieu Desnoyers's avatar
      tracing: Fix sched switch start/stop refcount racy updates · 62bfa26e
      Mathieu Desnoyers authored
      commit 64ae572b upstream.
      
      Reading the sched_cmdline_ref and sched_tgid_ref initial state within
      tracing_start_sched_switch without holding the sched_register_mutex is
      racy against concurrent updates, which can lead to tracepoint probes
      being registered more than once (and thus trigger warnings within
      tracepoint.c).
      
      [ May be the fix for this bug ]
      Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com
      
      Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com
      
      Cc: stable@vger.kernel.org
      CC: Steven Rostedt (VMware) <rostedt@goodmis.org>
      CC: Joel Fernandes (Google) <joel@joelfernandes.org>
      CC: Peter Zijlstra <peterz@infradead.org>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Paul E. McKenney <paulmck@linux.ibm.com>
      Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com
      Fixes: d914ba37 ("tracing: Add support for recording tgid of tasks")
      Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62bfa26e
    • Lu Shuaibing's avatar
      ipc/msg.c: consolidate all xxxctl_down() functions · 078dd732
      Lu Shuaibing authored
      commit 889b3317 upstream.
      
      A use of uninitialized memory in msgctl_down() because msqid64 in
      ksys_msgctl hasn't been initialized.  The local | msqid64 | is created in
      ksys_msgctl() and then passed into msgctl_down().  Along the way msqid64
      is never initialized before msgctl_down() checks msqid64->msg_qbytes.
      
      KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
      reports:
      
      ==================================================================
      BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
      Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
      
      CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      Call Trace:
       dump_stack+0x75/0xae
       __kumsan_report+0x17c/0x3e6
       kumsan_report+0xe/0x20
       msgctl_down+0x94/0x300
       ksys_msgctl.constprop.14+0xef/0x260
       do_syscall_64+0x7e/0x1f0
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x4400e9
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
      R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
      R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x100000000000000()
      raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kumsan: bad access detected
      ==================================================================
      
      Syzkaller reproducer:
      msgctl$IPC_RMID(0x0, 0x0)
      
      C reproducer:
      // autogenerated by syzkaller (https://github.com/google/syzkaller)
      
      int main(void)
      {
        syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
        syscall(__NR_msgctl, 0, 0, 0);
        return 0;
      }
      
      [natechancellor@gmail.com: adjust indentation in ksys_msgctl]
        Link: https://github.com/ClangBuiltLinux/linux/issues/829
        Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
      Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.comSigned-off-by: default avatarLu Shuaibing <shuaibinglu@126.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: NeilBrown <neilb@suse.com>
      From: Andrew Morton <akpm@linux-foundation.org>
      Subject: ipc/msg.c: consolidate all xxxctl_down() functions
      
      Each line here overflows 80 cols by exactly one character.  Delete one tab
      per line to fix.
      
      Cc: Shaohua Li <shli@fb.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      078dd732
    • Oliver Neukum's avatar
      mfd: dln2: More sanity checking for endpoints · f7d8f999
      Oliver Neukum authored
      commit 2b8bd606 upstream.
      
      It is not enough to check for the number of endpoints.
      The types must also be correct.
      
      Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7d8f999
    • Will Deacon's avatar
      media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors · 3ceb3fcd
      Will Deacon authored
      commit 68035c80 upstream.
      
      Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
      up the following WARNING from the UVC chain scanning code:
      
        | list_add double add: new=ffff880069084010, prev=ffff880069084010,
        | next=ffff880067d22298.
        | ------------[ cut here ]------------
        | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
        | Modules linked in:
        | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
        | 4.14.0-rc2-42613-g1488251d1a98 #238
        | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        | Workqueue: usb_hub_wq hub_event
        | task: ffff88006b01ca40 task.stack: ffff880064358000
        | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
        | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
        | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
        | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
        | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
        | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
        | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
        | FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
        | CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
        | Call Trace:
        |  __list_add ./include/linux/list.h:59
        |  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
        |  uvc_scan_chain_forward.isra.8+0x373/0x416
        | drivers/media/usb/uvc/uvc_driver.c:1471
        |  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
        |  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
        |  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
      
      Looking into the output from usbmon, the interesting part is the
      following data packet:
      
        ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
        00090403 00000e01 00000924 03000103 7c003328 010204db
      
      If we drop the lead configuration and interface descriptors, we're left
      with an output terminal descriptor describing a generic display:
      
        /* Output terminal descriptor */
        buf[0]	09
        buf[1]	24
        buf[2]	03	/* UVC_VC_OUTPUT_TERMINAL */
        buf[3]	00	/* ID */
        buf[4]	01	/* type == 0x0301 (UVC_OTT_DISPLAY) */
        buf[5]	03
        buf[6]	7c
        buf[7]	00	/* source ID refers to self! */
        buf[8]	33
      
      The problem with this descriptor is that it is self-referential: the
      source ID of 0 matches itself! This causes the 'struct uvc_entity'
      representing the display to be added to its chain list twice during
      'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
      processed directly from the 'dev->entities' list and then again
      immediately afterwards when trying to follow the source ID in
      'uvc_scan_chain_forward()'
      
      Add a check before adding an entity to a chain list to ensure that the
      entity is not already part of a chain.
      
      Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/
      
      Cc: <stable@vger.kernel.org>
      Fixes: c0efd232 ("V4L/DVB (8145a): USB Video Class driver")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ceb3fcd
    • David Howells's avatar
      rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect · 22779a27
      David Howells authored
      [ Upstream commit 5273a191 ]
      
      When a call is disconnected, the connection pointer from the call is
      cleared to make sure it isn't used again and to prevent further attempted
      transmission for the call.  Unfortunately, there might be a daemon trying
      to use it at the same time to transmit a packet.
      
      Fix this by keeping call->conn set, but setting a flag on the call to
      indicate disconnection instead.
      
      Remove also the bits in the transmission functions where the conn pointer is
      checked and a ref taken under spinlock as this is now redundant.
      
      Fixes: 8d94aa38 ("rxrpc: Calls shouldn't hold socket refs")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22779a27
    • David Howells's avatar
      rxrpc: Fix missing active use pinning of rxrpc_local object · a2562d42
      David Howells authored
      [ Upstream commit 04d36d74 ]
      
      The introduction of a split between the reference count on rxrpc_local
      objects and the usage count didn't quite go far enough.  A number of kernel
      work items need to make use of the socket to perform transmission.  These
      also need to get an active count on the local object to prevent the socket
      from being closed.
      
      Fix this by getting the active count in those places.
      
      Also split out the raw active count get/put functions as these places tend
      to hold refs on the rxrpc_local object already, so getting and putting an
      extra object ref is just a waste of time.
      
      The problem can lead to symptoms like:
      
          BUG: kernel NULL pointer dereference, address: 0000000000000018
          ..
          CPU: 2 PID: 818 Comm: kworker/u9:0 Not tainted 5.5.0-fscache+ #51
          ...
          RIP: 0010:selinux_socket_sendmsg+0x5/0x13
          ...
          Call Trace:
           security_socket_sendmsg+0x2c/0x3e
           sock_sendmsg+0x1a/0x46
           rxrpc_send_keepalive+0x131/0x1ae
           rxrpc_peer_keepalive_worker+0x219/0x34b
           process_one_work+0x18e/0x271
           worker_thread+0x1a3/0x247
           kthread+0xe6/0xeb
           ret_from_fork+0x1f/0x30
      
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2562d42
    • David Howells's avatar
      rxrpc: Fix insufficient receive notification generation · dba85332
      David Howells authored
      [ Upstream commit f71dbf2f ]
      
      In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
      number of the packet is immediately following the hard-ack point at the end
      of the function.  However, this isn't sufficient, since the recvmsg side
      may have been advancing the window and then overrun the position in which
      we're adding - at which point rx_hard_ack >= seq0 and no notification is
      generated.
      
      Fix this by always generating a notification at the end of the input
      function.
      
      Without this, a long call may stall, possibly indefinitely.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dba85332
    • David Howells's avatar
      rxrpc: Fix use-after-free in rxrpc_put_local() · 85c45a48
      David Howells authored
      [ Upstream commit fac20b9e ]
      
      Fix rxrpc_put_local() to not access local->debug_id after calling
      atomic_dec_return() as, unless that returned n==0, we no longer have the
      right to access the object.
      
      Fixes: 06d9532f ("rxrpc: Fix read-after-free in rxrpc_queue_local()")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85c45a48
    • Eric Dumazet's avatar
      tcp: clear tp->segs_{in|out} in tcp_disconnect() · 7e23f798
      Eric Dumazet authored
      [ Upstream commit 784f8344 ]
      
      tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 2efd055c ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e23f798
    • Eric Dumazet's avatar
      tcp: clear tp->data_segs{in|out} in tcp_disconnect() · 57542c05
      Eric Dumazet authored
      [ Upstream commit db7ffee6 ]
      
      tp->data_segs_in and tp->data_segs_out need to be cleared
      in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: a44d6eac ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57542c05
    • Eric Dumazet's avatar
      tcp: clear tp->delivered in tcp_disconnect() · 2d4bec3b
      Eric Dumazet authored
      [ Upstream commit 2fbdd562 ]
      
      tp->delivered needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: ddf1af6f ("tcp: new delivery accounting")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d4bec3b
    • Eric Dumazet's avatar
      tcp: clear tp->total_retrans in tcp_disconnect() · 4206e664
      Eric Dumazet authored
      [ Upstream commit c13c48c0 ]
      
      total_retrans needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: SeongJae Park <sjpark@amazon.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4206e664
    • Michael Chan's avatar
      bnxt_en: Fix TC queue mapping. · e7ec10b4
      Michael Chan authored
      [ Upstream commit 18e4960c ]
      
      The driver currently only calls netdev_set_tc_queue when the number of
      TCs is greater than 1.  Instead, the comparison should be greater than
      or equal to 1.  Even with 1 TC, we need to set the queue mapping.
      
      This bug can cause warnings when the number of TCs is changed back to 1.
      
      Fixes: 7809592d ("bnxt_en: Enable MSIX early in bnxt_init_one().")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7ec10b4
    • Nicolin Chen's avatar
      net: stmmac: Delete txtimer in suspend() · 0529d1ea
      Nicolin Chen authored
      [ Upstream commit 14b41a29 ]
      
      When running v5.5 with a rootfs on NFS, memory abort may happen in
      the system resume stage:
       Unable to handle kernel paging request at virtual address dead00000000012a
       [dead00000000012a] address between user and kernel address ranges
       pc : run_timer_softirq+0x334/0x3d8
       lr : run_timer_softirq+0x244/0x3d8
       x1 : ffff800011cafe80 x0 : dead000000000122
       Call trace:
        run_timer_softirq+0x334/0x3d8
        efi_header_end+0x114/0x234
        irq_exit+0xd0/0xd8
        __handle_domain_irq+0x60/0xb0
        gic_handle_irq+0x58/0xa8
        el1_irq+0xb8/0x180
        arch_cpu_idle+0x10/0x18
        do_idle+0x1d8/0x2b0
        cpu_startup_entry+0x24/0x40
        secondary_start_kernel+0x1b4/0x208
       Code: f9000693 a9400660 f9000020 b4000040 (f9000401)
       ---[ end trace bb83ceeb4c482071 ]---
       Kernel panic - not syncing: Fatal exception in interrupt
       SMP: stopping secondary CPUs
       SMP: failed to stop secondary CPUs 2-3
       Kernel Offset: disabled
       CPU features: 0x00002,2300aa30
       Memory Limit: none
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      It's found that stmmac_xmit() and stmmac_resume() sometimes might
      run concurrently, possibly resulting in a race condition between
      mod_timer() and setup_timer(), being called by stmmac_xmit() and
      stmmac_resume() respectively.
      
      Since the resume() runs setup_timer() every time, it'd be safer to
      have del_timer_sync() in the suspend() as the counterpart.
      Signed-off-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0529d1ea
    • Cong Wang's avatar
      net_sched: fix an OOB access in cls_tcindex · 478c4b2f
      Cong Wang authored
      [ Upstream commit 599be01e ]
      
      As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
      to compute the size of memory allocation, but cp->hash is
      set again after the allocation, this caused an out-of-bound
      access.
      
      So we have to move all cp->hash initialization and computation
      before the memory allocation. Move cp->mask and cp->shift together
      as cp->hash may need them for computation too.
      
      Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      478c4b2f
    • Eric Dumazet's avatar
      net: hsr: fix possible NULL deref in hsr_handle_frame() · d5524d5a
      Eric Dumazet authored
      [ Upstream commit 2b5b8251 ]
      
      hsr_port_get_rcu() can return NULL, so we need to be careful.
      
      general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
      CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
      RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
      Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
      RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
      RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
      RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
      R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
      R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
      FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
       __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
       __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
       __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
       process_backlog+0x206/0x750 net/core/dev.c:6144
       napi_poll net/core/dev.c:6582 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6650
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
       </IRQ>
      
      Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5524d5a
    • Ridge Kennedy's avatar
      l2tp: Allow duplicate session creation with UDP · f0af9cd8
      Ridge Kennedy authored
      [ Upstream commit 0d0d9a38 ]
      
      In the past it was possible to create multiple L2TPv3 sessions with the
      same session id as long as the sessions belonged to different tunnels.
      The resulting sessions had issues when used with IP encapsulated tunnels,
      but worked fine with UDP encapsulated ones. Some applications began to
      rely on this behaviour to avoid having to negotiate unique session ids.
      
      Some time ago a change was made to require session ids to be unique across
      all tunnels, breaking the applications making use of this "feature".
      
      This change relaxes the duplicate session id check to allow duplicates
      if both of the colliding sessions belong to UDP encapsulated tunnels.
      
      Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
      Signed-off-by: default avatarRidge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0af9cd8
    • Taehee Yoo's avatar
      gtp: use __GFP_NOWARN to avoid memalloc warning · f2f39420
      Taehee Yoo authored
      [ Upstream commit bd5cd35b ]
      
      gtp hashtable size is received by user-space.
      So, this hashtable size could be too large. If so, kmalloc will internally
      print a warning message.
      This warning message is actually not necessary for the gtp module.
      So, this patch adds __GFP_NOWARN to avoid this message.
      
      Splat looks like:
      [ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
      [ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
      [ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
      [ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
      [ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
      [ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
      [ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
      [ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
      [ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
      [ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
      [ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
      [ 2171.292328][ T1860] FS:  00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [ 2171.293409][ T1860] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
      [ 2171.295424][ T1860] Call Trace:
      [ 2171.295756][ T1860]  ? mark_held_locks+0xa5/0xe0
      [ 2171.296659][ T1860]  ? __alloc_pages_slowpath+0x21b0/0x21b0
      [ 2171.298283][ T1860]  ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
      [ 2171.298962][ T1860]  ? alloc_pages_current+0xc1/0x1a0
      [ 2171.299475][ T1860]  kmalloc_order+0x22/0x80
      [ 2171.299936][ T1860]  kmalloc_order_trace+0x1d/0x140
      [ 2171.300437][ T1860]  __kmalloc+0x302/0x3a0
      [ 2171.300896][ T1860]  gtp_newlink+0x293/0xba0 [gtp]
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2f39420
    • Eric Dumazet's avatar
      cls_rsvp: fix rsvp_policy · 1cb578dc
      Eric Dumazet authored
      [ Upstream commit cb3c0e6b ]
      
      NLA_BINARY can be confusing, since .len value represents
      the max size of the blob.
      
      cls_rsvp really wants user space to provide long enough data
      for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
      
      BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
      BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
      BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
      CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       rsvp_get net/sched/cls_rsvp.h:258 [inline]
       gen_handle net/sched/cls_rsvp.h:402 [inline]
       rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
       tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
       rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45b349
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2774 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
       netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6fa8c014 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cb578dc
    • Arnd Bergmann's avatar
      sparc32: fix struct ipc64_perm type definition · 9e154752
      Arnd Bergmann authored
      [ Upstream commit 34ca70ef ]
      
      As discussed in the strace issue tracker, it appears that the sparc32
      sysvipc support has been broken for the past 11 years. It was however
      working in compat mode, which is how it must have escaped most of the
      regular testing.
      
      The problem is that a cleanup patch inadvertently changed the uid/gid
      fields in struct ipc64_perm from 32-bit types to 16-bit types in uapi
      headers.
      
      Both glibc and uclibc-ng still use the original types, so they should
      work fine with compat mode, but not natively.  Change the definitions
      to use __kernel_uid32_t and __kernel_gid32_t again.
      
      Fixes: 83c86984 ("sparc: unify ipcbuf.h")
      Link: https://github.com/strace/strace/issues/116
      Cc: <stable@vger.kernel.org> # v2.6.29
      Cc: Sam Ravnborg <sam@ravnborg.org>
      Cc: "Dmitry V . Levin" <ldv@altlinux.org>
      Cc: Rich Felker <dalias@libc.org>
      Cc: libc-alpha@sourceware.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9e154752
    • Luca Coelho's avatar
      iwlwifi: mvm: fix NVM check for 3168 devices · 9940e10d
      Luca Coelho authored
      [ Upstream commit b3f20e09 ]
      
      We had a check on !NVM_EXT and then a check for NVM_SDP in the else
      block of this if.  The else block, obviously, could only be reached if
      using NVM_EXT, so it would never be NVM_SDP.
      
      Fix that by checking whether the nvm_type is IWL_NVM instead of
      checking for !IWL_NVM_EXT to solve this issue.
      Reported-by: default avatarStefan Sperling <stsp@stsp.name>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9940e10d
    • John Ogness's avatar
      printk: fix exclusive_console replaying · 8360063b
      John Ogness authored
      [ Upstream commit def97da1 ]
      
      Commit f92b070f ("printk: Do not miss new messages when replaying
      the log") introduced a new variable @exclusive_console_stop_seq to
      store when an exclusive console should stop printing. It should be
      set to the @console_seq value at registration. However, @console_seq
      is previously set to @syslog_seq so that the exclusive console knows
      where to begin. This results in the exclusive console immediately
      reactivating all the other consoles and thus repeating the messages
      for those consoles.
      
      Set @console_seq after @exclusive_console_stop_seq has stored the
      current @console_seq value.
      
      Fixes: f92b070f ("printk: Do not miss new messages when replaying the log")
      Link: http://lkml.kernel.org/r/20191219115322.31160-1-john.ogness@linutronix.de
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarJohn Ogness <john.ogness@linutronix.de>
      Acked-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8360063b
    • Jan Kara's avatar
      udf: Allow writing to 'Rewritable' partitions · 97bc3b7d
      Jan Kara authored
      [ Upstream commit 15fb05fd ]
      
      UDF 2.60 standard states in section 2.2.14.2:
      
          A partition with Access Type 3 (rewritable) shall define a Freed
          Space Bitmap or a Freed Space Table, see 2.3.3. All other partitions
          shall not define a Freed Space Bitmap or a Freed Space Table.
      
          Rewritable partitions are used on media that require some form of
          preprocessing before re-writing data (for example legacy MO). Such
          partitions shall use Access Type 3.
      
          Overwritable partitions are used on media that do not require
          preprocessing before overwriting data (for example: CD-RW, DVD-RW,
          DVD+RW, DVD-RAM, BD-RE, HD DVD-Rewritable). Such partitions shall
          use Access Type 4.
      
      however older versions of the standard didn't have this wording and
      there are tools out there that create UDF filesystems with rewritable
      partitions but that don't contain a Freed Space Bitmap or a Freed Space
      Table on media that does not require pre-processing before overwriting a
      block. So instead of forcing media with rewritable partition read-only,
      base this decision on presence of a Freed Space Bitmap or a Freed Space
      Table.
      Reported-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Fixes: b085fbe2 ("udf: Fix crash during mount")
      Link: https://lore.kernel.org/linux-fsdevel/20200112144735.hj2emsoy4uwsouxz@paliSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      97bc3b7d