1. 29 Jan, 2020 13 commits
  2. 28 Jan, 2020 1 commit
  3. 15 Jan, 2020 4 commits
  4. 08 Jan, 2020 9 commits
  5. 07 Jan, 2020 13 commits
    • Connor Kuehl's avatar
    • Greg Kroah-Hartman's avatar
    • Eric Dumazet's avatar
      tcp: do not send empty skb from tcp_write_xmit() · bd8391c1
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 1f85e626 ]
      
      Backport of commit fdfc5c85 ("tcp: remove empty skb from
      write queue in error cases") in linux-4.14 stable triggered
      various bugs. One of them has been fixed in commit ba2ddb43f270
      ("tcp: Don't dequeue SYN/FIN-segments from write-queue"), but
      we still have crashes in some occasions.
      
      Root-cause is that when tcp_sendmsg() has allocated a fresh
      skb and could not append a fragment before being blocked
      in sk_stream_wait_memory(), tcp_write_xmit() might be called
      and decide to send this fresh and empty skb.
      
      Sending an empty packet is not only silly, it might have caused
      many issues we had in the past with tp->packets_out being
      out of sync.
      
      Fixes: c65f7f00 ("[TCP]: Simplify SKB data portion allocation with NETIF_F_SG.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Christoph Paasch <cpaasch@apple.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Cc: Jason Baron <jbaron@akamai.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      bd8391c1
    • Faiz Abbas's avatar
      mmc: sdhci: Update the tuning failed messages to pr_debug level · e05a6cbb
      Faiz Abbas authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 2c92dd20 ]
      
      Tuning support in DDR50 speed mode was added in SD Specifications Part1
      Physical Layer Specification v3.01. Its not possible to distinguish
      between v3.00 and v3.01 from the SCR and that is why since
      commit 4324f6de ("mmc: core: enable CMD19 tuning for DDR50 mode")
      tuning failures are ignored in DDR50 speed mode.
      
      Cards compatible with v3.00 don't respond to CMD19 in DDR50 and this
      error gets printed during enumeration and also if retune is triggered at
      any time during operation. Update the printk level to pr_debug so that
      these errors don't lead to false error reports.
      Signed-off-by: default avatarFaiz Abbas <faiz_abbas@ti.com>
      Cc: stable@vger.kernel.org # v4.4+
      Link: https://lore.kernel.org/r/20191206114326.15856-1-faiz_abbas@ti.comSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      e05a6cbb
    • Eric Dumazet's avatar
      hrtimer: Annotate lockless access to timer->state · 80bd249a
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 56144737 upstream.
      
      syzbot reported various data-race caused by hrtimer_is_queued() reading
      timer->state. A READ_ONCE() is required there to silence the warning.
      
      Also add the corresponding WRITE_ONCE() when timer->state is set.
      
      In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid
      loading timer->state twice.
      
      KCSAN reported these cases:
      
      BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check
      
      write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0:
       __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
       __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
       __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
       hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
       __do_softirq+0x115/0x33f kernel/softirq.c:292
       run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
       smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
       kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1:
       tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline]
       tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225
       tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044
       tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558
       tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717
       tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
       tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
       sk_backlog_rcv include/net/sock.h:945 [inline]
       __release_sock+0x135/0x1e0 net/core/sock.c:2435
       release_sock+0x61/0x160 net/core/sock.c:2951
       sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
       tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
       tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
       inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0x9f/0xc0 net/socket.c:657
      
      BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check
      
      write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0:
       __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
       __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
       __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
       hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
       __do_softirq+0x115/0x33f kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0xbb/0xe0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
      
      read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1:
       __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265
       tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline]
       tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708
       tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
       sk_backlog_rcv include/net/sock.h:945 [inline]
       __release_sock+0x135/0x1e0 net/core/sock.c:2435
       release_sock+0x61/0x160 net/core/sock.c:2951
       sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
       tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
       tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
       inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0x9f/0xc0 net/socket.c:657
       __sys_sendto+0x21f/0x320 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto net/socket.c:1960 [inline]
       __x64_sys_sendto+0x89/0xb0 net/socket.c:1960
       do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      [ tglx: Added comments ]
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      80bd249a
    • Eric Dumazet's avatar
      net: icmp: fix data-race in cmp_global_allow() · c4920b85
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit bbab7ef2 upstream.
      
      This code reads two global variables without protection
      of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
      avoid load/store-tearing and better document the intent.
      
      KCSAN reported :
      BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow
      
      read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
       icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
       icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
       icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
       icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
       icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
       ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
       dst_link_failure include/net/dst.h:419 [inline]
       vti_xmit net/ipv4/ip_vti.c:243 [inline]
       vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
       __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
       netdev_start_xmit include/linux/netdevice.h:4434 [inline]
       xmit_one net/core/dev.c:3280 [inline]
       dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
       __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
       dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
       neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
       neigh_output include/net/neighbour.h:511 [inline]
       ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
       __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
       __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
       ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
       dst_output include/net/dst.h:436 [inline]
       ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
      
      write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
       icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
       icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
       icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
       icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
       icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
       ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
       dst_link_failure include/net/dst.h:419 [inline]
       vti_xmit net/ipv4/ip_vti.c:243 [inline]
       vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
       __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
       netdev_start_xmit include/linux/netdevice.h:4434 [inline]
       xmit_one net/core/dev.c:3280 [inline]
       dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
       __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
       dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
       neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
       neigh_output include/net/neighbour.h:511 [inline]
       ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
       __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
       __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
       ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 4cdf507d ("icmp: add a global rate limitation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      c4920b85
    • Eric Dumazet's avatar
      netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() · 9293e3c6
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 56042858 upstream.
      
      syzbot is kind enough to remind us we need to call skb_may_pull()
      
      BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
      CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
       br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
       nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
       nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
       nf_hook include/linux/netfilter.h:260 [inline]
       NF_HOOK include/linux/netfilter.h:303 [inline]
       __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
       br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
       br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
       nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
       br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
       __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
       __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
       __netif_receive_skb net/core/dev.c:5043 [inline]
       process_backlog+0x610/0x13c0 net/core/dev.c:5874
       napi_poll net/core/dev.c:6311 [inline]
       net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
       </IRQ>
       do_softirq kernel/softirq.c:338 [inline]
       __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
       local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
       rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
       __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
       packet_snd net/packet/af_packet.c:2959 [inline]
       packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45a679
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
      RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
      RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
      R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
       kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
       kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
       slab_alloc_node mm/slub.c:2773 [inline]
       __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
       sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
       packet_alloc_skb net/packet/af_packet.c:2807 [inline]
       packet_snd net/packet/af_packet.c:2902 [inline]
       packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c4e70a87 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      9293e3c6
    • Eric Dumazet's avatar
      6pack,mkiss: fix possible deadlock · 677d32a1
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 5c9934b6 upstream.
      
      We got another syzbot report [1] that tells us we must use
      write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
      
      [1]
      
      WARNING: inconsistent lock state
      5.5.0-rc1-syzkaller #0 Not tainted
      --------------------------------
      inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
      syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
      ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
      {HARDIRQ-ON-W} state was registered at:
        lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
        __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
        _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
        sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
        tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
        tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
        tiocsetd drivers/tty/tty_io.c:2337 [inline]
        tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
        vfs_ioctl fs/ioctl.c:47 [inline]
        file_ioctl fs/ioctl.c:545 [inline]
        do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
        ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
        __do_sys_ioctl fs/ioctl.c:756 [inline]
        __se_sys_ioctl fs/ioctl.c:754 [inline]
        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
        do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      irq event stamp: 3946
      hardirqs last  enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
      hardirqs last  enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
      hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
      softirqs last  enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
      softirqs last  enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
      softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
      softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(disc_data_lock);
        <Interrupt>
          lock(disc_data_lock);
      
       *** DEADLOCK ***
      
      5 locks held by syz-executor826/9605:
       #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
       #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
       #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
       #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
       #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
       #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
      
      stack backtrace:
      CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
       valid_state kernel/locking/lockdep.c:3112 [inline]
       mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
       mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
       mark_usage kernel/locking/lockdep.c:3554 [inline]
       __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
       lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
       __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
       _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
       sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
       sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
       tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
       tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
       tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
       uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
       serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
       serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
       serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
       serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
       __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
       handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
       handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
       handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
       generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
       do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
       common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
       </IRQ>
      RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
      RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
      Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
      RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
      RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
      RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
      RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
      R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
      R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
       mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
       __mutex_lock_common kernel/locking/mutex.c:962 [inline]
       __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
       tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
       tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
       __fput+0x2ff/0x890 fs/file_table.c:280
       ____fput+0x16/0x20 fs/file_table.c:313
       task_work_run+0x145/0x1c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x8e7/0x2ef0 kernel/exit.c:797
       do_group_exit+0x135/0x360 kernel/exit.c:895
       __do_sys_exit_group kernel/exit.c:906 [inline]
       __se_sys_exit_group kernel/exit.c:904 [inline]
       __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x43fef8
      Code: Bad RIP value.
      RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
      RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
      R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
      R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
      
      Fixes: 6e4e2f81 ("6pack,mkiss: fix lock inconsistency")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      677d32a1
    • Florian Westphal's avatar
      netfilter: ebtables: compat: reject all padding in matches/watchers · a57c90ca
      Florian Westphal authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit e608f631 upstream.
      
      syzbot reported following splat:
      
      BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
      BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
      Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
      
      CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
       size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
       compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
       compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
       compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
       [..]
      
      Because padding isn't considered during computation of ->buf_user_offset,
      "total" is decremented by fewer bytes than it should.
      
      Therefore, the first part of
      
      if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
      
      will pass, -- it should not have.  This causes oob access:
      entry->next_offset is past the vmalloced size.
      
      Reject padding and check that computed user offset (sum of ebt_entry
      structure plus all individual matches/watchers/targets) is same
      value that userspace gave us as the offset of the next entry.
      
      Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      a57c90ca
    • Arnd Bergmann's avatar
      net: davinci_cpdma: use dma_addr_t for DMA address · 3fa29534
      Arnd Bergmann authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 84092996 upstream.
      
      The davinci_cpdma mixes up physical addresses as seen from the CPU
      and DMA addresses as seen from a DMA master, since it can operate
      on both normal memory or an on-chip buffer. If dma_addr_t is
      different from phys_addr_t, this means we get a compile-time warning
      about the type mismatch:
      
      ethernet/ti/davinci_cpdma.c: In function 'cpdma_desc_pool_create':
      ethernet/ti/davinci_cpdma.c:182:48: error: passing argument 3 of 'dma_alloc_coherent' from incompatible pointer type [-Werror=incompatible-pointer-types]
         pool->cpumap = dma_alloc_coherent(dev, size, &pool->phys,
      In file included from ethernet/ti/davinci_cpdma.c:21:0:
      dma-mapping.h:398:21: note: expected 'dma_addr_t * {aka long long unsigned int *}' but argument is of type 'phys_addr_t * {aka unsigned int *}'
       static inline void *dma_alloc_coherent(struct device *dev, size_t size,
      
      This slightly restructures the code so the address we use for
      mapping RAM into a DMA address is always a dma_addr_t, avoiding
      the warning. The code is correct even if both types are 32-bit
      because the DMA master in this device only supports 32-bit addressing
      anyway, independent of the types that are used.
      
      We still assign this value to pool->phys, and that is wrong if
      the driver is ever used with an IOMMU, but that value appears to
      be never used, so there is no problem really. I've added a couple
      of comments about where we do things that are slightly violating
      the API.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarDaniel Wagner <dwagner@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      3fa29534
    • Linus Torvalds's avatar
      filldir[64]: remove WARN_ON_ONCE() for bad directory entries · c3f42106
      Linus Torvalds authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit b9959c7a upstream.
      
      This was always meant to be a temporary thing, just for testing and to
      see if it actually ever triggered.
      
      The only thing that reported it was syzbot doing disk image fuzzing, and
      then that warning is expected.  So let's just remove it before -rc4,
      because the extra sanity testing should probably go to -stable, but we
      don't want the warning to do so.
      
      Reported-by: syzbot+3031f712c7ad5dd4d926@syzkaller.appspotmail.com
      Fixes: 8a23eb80 ("Make filldir[64]() verify the directory entry filename is valid")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSiddharth Chandrasekaran <csiddharth@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      c3f42106
    • Linus Torvalds's avatar
      Make filldir[64]() verify the directory entry filename is valid · 07c9dfce
      Linus Torvalds authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 8a23eb80 upstream.
      
      This has been discussed several times, and now filesystem people are
      talking about doing it individually at the filesystem layer, so head
      that off at the pass and just do it in getdents{64}().
      
      This is partially based on a patch by Jann Horn, but checks for NUL
      bytes as well, and somewhat simplified.
      
      There's also commentary about how it might be better if invalid names
      due to filesystem corruption don't cause an immediate failure, but only
      an error at the end of the readdir(), so that people can still see the
      filenames that are ok.
      
      There's also been discussion about just how much POSIX strictly speaking
      requires this since it's about filesystem corruption.  It's really more
      "protect user space from bad behavior" as pointed out by Jann.  But
      since Eric Biederman looked up the POSIX wording, here it is for context:
      
       "From readdir:
      
         The readdir() function shall return a pointer to a structure
         representing the directory entry at the current position in the
         directory stream specified by the argument dirp, and position the
         directory stream at the next entry. It shall return a null pointer
         upon reaching the end of the directory stream. The structure dirent
         defined in the <dirent.h> header describes a directory entry.
      
        From definitions:
      
         3.129 Directory Entry (or Link)
      
         An object that associates a filename with a file. Several directory
         entries can associate names with the same file.
      
        ...
      
         3.169 Filename
      
         A name consisting of 1 to {NAME_MAX} bytes used to name a file. The
         characters composing the name may be selected from the set of all
         character values excluding the slash character and the null byte. The
         filenames dot and dot-dot have special meaning. A filename is
         sometimes referred to as a 'pathname component'."
      
      Note that I didn't bother adding the checks to any legacy interfaces
      that nobody uses.
      
      Also note that if this ends up being noticeable as a performance
      regression, we can fix that to do a much more optimized model that
      checks for both NUL and '/' at the same time one word at a time.
      
      We haven't really tended to optimize 'memchr()', and it only checks for
      one pattern at a time anyway, and we really _should_ check for NUL too
      (but see the comment about "soft errors" in the code about why it
      currently only checks for '/')
      
      See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name
      lookup code looks for pathname terminating characters in parallel.
      
      Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jann Horn <jannh@google.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSiddharth Chandrasekaran <csiddharth@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      07c9dfce
    • Takashi Iwai's avatar
      ALSA: hda - Downgrade error message for single-cmd fallback · a4007f40
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 475feec0 ]
      
      We made the error message for the CORB/RIRB communication clearer by
      upgrading to dev_WARN() so that user can notice better.  But this
      struck us like a boomerang: now it caught syzbot and reported back as
      a fatal issue although it's not really any too serious bug that worth
      for stopping the whole system.
      
      OK, OK, let's be softy, downgrade it to the standard dev_err() again.
      
      Fixes: dd65f7e1 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly")
      Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      a4007f40