1. 14 Mar, 2019 40 commits
    • Daniel Santos's avatar
      jffs2: Fix use of uninitialized delayed_work, lockdep breakage · 7624b29b
      Daniel Santos authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit a788c527 ]
      
      jffs2_sync_fs makes the assumption that if CONFIG_JFFS2_FS_WRITEBUFFER
      is defined then a write buffer is available and has been initialized.
      However, this does is not the case when the mtd device has no
      out-of-band buffer:
      
      int jffs2_nand_flash_setup(struct jffs2_sb_info *c)
      {
              if (!c->mtd->oobsize)
                      return 0;
      ...
      
      The resulting call to cancel_delayed_work_sync passing a uninitialized
      (but zeroed) delayed_work struct forces lockdep to become disabled.
      
      [   90.050639] overlayfs: upper fs does not support tmpfile.
      [   90.652264] INFO: trying to register non-static key.
      [   90.662171] the code is fine but needs lockdep annotation.
      [   90.673090] turning off the locking correctness validator.
      [   90.684021] CPU: 0 PID: 1762 Comm: mount_root Not tainted 4.14.63 #0
      [   90.696672] Stack : 00000000 00000000 80d8f6a2 00000038 805f0000 80444600 8fe364f4 805dfbe7
      [   90.713349]         80563a30 000006e2 8068370c 00000001 00000000 00000001 8e2fdc48 ffffffff
      [   90.730020]         00000000 00000000 80d90000 00000000 00000106 00000000 6465746e 312e3420
      [   90.746690]         6b636f6c 03bf0000 f8000000 20676e69 00000000 80000000 00000000 8e2c2a90
      [   90.763362]         80d90000 00000001 00000000 8e2c2a90 00000003 80260dc0 08052098 80680000
      [   90.780033]         ...
      [   90.784902] Call Trace:
      [   90.789793] [<8000f0d8>] show_stack+0xb8/0x148
      [   90.798659] [<8005a000>] register_lock_class+0x270/0x55c
      [   90.809247] [<8005cb64>] __lock_acquire+0x13c/0xf7c
      [   90.818964] [<8005e314>] lock_acquire+0x194/0x1dc
      [   90.828345] [<8003f27c>] flush_work+0x200/0x24c
      [   90.837374] [<80041dfc>] __cancel_work_timer+0x158/0x210
      [   90.847958] [<801a8770>] jffs2_sync_fs+0x20/0x54
      [   90.857173] [<80125cf4>] iterate_supers+0xf4/0x120
      [   90.866729] [<80158fc4>] sys_sync+0x44/0x9c
      [   90.875067] [<80014424>] syscall_common+0x34/0x58
      Signed-off-by: default avatarDaniel Santos <daniel.santos@pobox.com>
      Reviewed-by: default avatarHou Tao <houtao1@huawei.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      7624b29b
    • Anders Roxell's avatar
      arm64: perf: set suppress_bind_attrs flag to true · 9c211787
      Anders Roxell authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 81e9fa8b ]
      
      The armv8_pmuv3 driver doesn't have a remove function, and when the test
      'CONFIG_DEBUG_TEST_DRIVER_REMOVE=y' is enabled, the following Call trace
      can be seen.
      
      [    1.424287] Failed to register pmu: armv8_pmuv3, reason -17
      [    1.424870] WARNING: CPU: 0 PID: 1 at ../kernel/events/core.c:11771 perf_event_sysfs_init+0x98/0xdc
      [    1.425220] Modules linked in:
      [    1.425531] CPU: 0 PID: 1 Comm: swapper/0 Tainted: G        W         4.19.0-rc7-next-20181012-00003-ge7a97b1ad77b-dirty #35
      [    1.425951] Hardware name: linux,dummy-virt (DT)
      [    1.426212] pstate: 80000005 (Nzcv daif -PAN -UAO)
      [    1.426458] pc : perf_event_sysfs_init+0x98/0xdc
      [    1.426720] lr : perf_event_sysfs_init+0x98/0xdc
      [    1.426908] sp : ffff00000804bd50
      [    1.427077] x29: ffff00000804bd50 x28: ffff00000934e078
      [    1.427429] x27: ffff000009546000 x26: 0000000000000007
      [    1.427757] x25: ffff000009280710 x24: 00000000ffffffef
      [    1.428086] x23: ffff000009408000 x22: 0000000000000000
      [    1.428415] x21: ffff000009136008 x20: ffff000009408730
      [    1.428744] x19: ffff80007b20b400 x18: 000000000000000a
      [    1.429075] x17: 0000000000000000 x16: 0000000000000000
      [    1.429418] x15: 0000000000000400 x14: 2e79726f74636572
      [    1.429748] x13: 696420656d617320 x12: 656874206e692065
      [    1.430060] x11: 6d616e20656d6173 x10: 2065687420687469
      [    1.430335] x9 : ffff00000804bd50 x8 : 206e6f7361657220
      [    1.430610] x7 : 2c3376756d705f38 x6 : ffff00000954d7ce
      [    1.430880] x5 : 0000000000000000 x4 : 0000000000000000
      [    1.431226] x3 : 0000000000000000 x2 : ffffffffffffffff
      [    1.431554] x1 : 4d151327adc50b00 x0 : 0000000000000000
      [    1.431868] Call trace:
      [    1.432102]  perf_event_sysfs_init+0x98/0xdc
      [    1.432382]  do_one_initcall+0x6c/0x1a8
      [    1.432637]  kernel_init_freeable+0x1bc/0x280
      [    1.432905]  kernel_init+0x18/0x160
      [    1.433115]  ret_from_fork+0x10/0x18
      [    1.433297] ---[ end trace 27fd415390eb9883 ]---
      
      Rework to set suppress_bind_attrs flag to avoid removing the device when
      CONFIG_DEBUG_TEST_DRIVER_REMOVE=y, since there's no real reason to
      remove the armv8_pmuv3 driver.
      
      Cc: Arnd Bergmann <arnd@arndb.de>
      Co-developed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarWill Deacon <will.deacon@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      9c211787
    • Maciej W. Rozycki's avatar
      MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur · c215638a
      Maciej W. Rozycki authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit e4849aff ]
      
      The Broadcom SiByte BCM1250, BCM1125, and BCM1125H SOCs have an onchip
      DRAM controller that supports memory amounts of up to 16GiB, and due to
      how the address decoder has been wired in the SOC any memory beyond 1GiB
      is actually mapped starting from 4GiB physical up, that is beyond the
      32-bit addressable limit[1].  Consequently if the maximum amount of
      memory has been installed, then it will span up to 19GiB.
      
      Many of the evaluation boards we support that are based on one of these
      SOCs have their memory soldered and the amount present fits in the
      32-bit address range.  The BCM91250A SWARM board however has actual DIMM
      slots and accepts, depending on the peripherals revision of the SOC, up
      to 4GiB or 8GiB of memory in commercially available JEDEC modules[2].
      I believe this is also the case with the BCM91250C2 LittleSur board.
      This means that up to either 3GiB or 7GiB of memory requires 64-bit
      addressing to access.
      
      I believe the BCM91480B BigSur board, which has the BCM1480 SOC instead,
      accepts at least as much memory, although I have no documentation or
      actual hardware available to verify that.
      
      Both systems have PCI slots installed for use by any PCI option boards,
      including ones that only support 32-bit addressing (additionally the
      32-bit PCI host bridge of the BCM1250, BCM1125, and BCM1125H SOCs limits
      addressing to 32-bits), and there is no IOMMU available.  Therefore for
      PCI DMA to work in the presence of memory beyond enable swiotlb for the
      affected systems.
      
      All the other SOC onchip DMA devices use 40-bit addressing and therefore
      can address the whole memory, so only enable swiotlb if PCI support and
      support for DMA beyond 4GiB have been both enabled in the configuration
      of the kernel.
      
      This shows up as follows:
      
      Broadcom SiByte BCM1250 B2 @ 800 MHz (SB1 rev 2)
      Board type: SiByte BCM91250A (SWARM)
      Determined physical RAM map:
       memory: 000000000fe7fe00 @ 0000000000000000 (usable)
       memory: 000000001ffffe00 @ 0000000080000000 (usable)
       memory: 000000000ffffe00 @ 00000000c0000000 (usable)
       memory: 0000000087fffe00 @ 0000000100000000 (usable)
      software IO TLB: mapped [mem 0xcbffc000-0xcfffc000] (64MB)
      
      in the bootstrap log and removes failures like these:
      
      defxx 0000:02:00.0: dma_direct_map_page: overflow 0x0000000185bc6080+4608 of device mask ffffffff bus mask 0
      fddi0: Receive buffer allocation failed
      fddi0: Adapter open failed!
      IP-Config: Failed to open fddi0
      defxx 0000:09:08.0: dma_direct_map_page: overflow 0x0000000185bc6080+4608 of device mask ffffffff bus mask 0
      fddi1: Receive buffer allocation failed
      fddi1: Adapter open failed!
      IP-Config: Failed to open fddi1
      
      when memory beyond 4GiB is handed out to devices that can only do 32-bit
      addressing.
      
      This updates commit cce335ae ("[MIPS] 64-bit Sibyte kernels need
      DMA32.").
      
      References:
      
      [1] "BCM1250/BCM1125/BCM1125H User Manual", Revision 1250_1125-UM100-R,
          Broadcom Corporation, 21 Oct 2002, Section 3: "System Overview",
          "Memory Map", pp. 34-38
      
      [2] "BCM91250A User Manual", Revision 91250A-UM100-R, Broadcom
          Corporation, 18 May 2004, Section 3: "Physical Description",
          "Supported DRAM", p. 23
      Signed-off-by: default avatarMaciej W. Rozycki <macro@linux-mips.org>
      [paul.burton@mips.com: Remove GPL text from dma.c; SPDX tag covers it]
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Patchwork: https://patchwork.linux-mips.org/patch/21108/
      References: cce335ae ("[MIPS] 64-bit Sibyte kernels need DMA32.")
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c215638a
    • Anders Roxell's avatar
      writeback: don't decrement wb->refcnt if !wb->bdi · 761a004b
      Anders Roxell authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 347a28b5 ]
      
      This happened while running in qemu-system-aarch64, the AMBA PL011 UART
      driver when enabling CONFIG_DEBUG_TEST_DRIVER_REMOVE.
      arch_initcall(pl011_init) came before subsys_initcall(default_bdi_init),
      devtmpfs' handle_remove() crashes because the reference count is a NULL
      pointer only because wb->bdi hasn't been initialized yet.
      
      Rework so that wb_put have an extra check if wb->bdi before decrement
      wb->refcnt and also add a WARN_ON_ONCE to get a warning if it happens again
      in other drivers.
      
      Fixes: 52ebea74 ("writeback: make backing_dev_info host cgroup-specific bdi_writebacks")
      Co-developed-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarAnders Roxell <anders.roxell@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      761a004b
    • Miroslav Lichvar's avatar
      e1000e: allow non-monotonic SYSTIM readings · 4ff73023
      Miroslav Lichvar authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit e1f65b0d ]
      
      It seems with some NICs supported by the e1000e driver a SYSTIM reading
      may occasionally be few microseconds before the previous reading and if
      enabled also pass e1000e_sanitize_systim() without reaching the maximum
      number of rereads, even if the function is modified to check three
      consecutive readings (i.e. it doesn't look like a double read error).
      This causes an underflow in the timecounter and the PHC time jumps hours
      ahead.
      
      This was observed on 82574, I217 and I219. The fastest way to reproduce
      it is to run a program that continuously calls the PTP_SYS_OFFSET ioctl
      on the PHC.
      
      Modify e1000e_phc_gettime() to use timecounter_cyc2time() instead of
      timecounter_read() in order to allow non-monotonic SYSTIM readings and
      prevent the PHC from jumping.
      
      Cc: Richard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarMiroslav Lichvar <mlichvar@redhat.com>
      Acked-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      4ff73023
    • João Paulo Rechi Vita's avatar
      platform/x86: asus-wmi: Tell the EC the OS will handle the display off hotkey · 423c2148
      João Paulo Rechi Vita authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 78f3ac76 ]
      
      In the past, Asus firmwares would change the panel backlight directly
      through the EC when the display off hotkey (Fn+F7) was pressed, and
      only notify the OS of such change, with 0x33 when the LCD was ON and
      0x34 when the LCD was OFF. These are currently mapped to
      KEY_DISPLAYTOGGLE and KEY_DISPLAY_OFF, respectively.
      
      Most recently the EC on Asus most machines lost ability to toggle the
      LCD backlight directly, but unless the OS informs the firmware it is
      going to handle the display toggle hotkey events, the firmware still
      tries change the brightness through the EC, to no effect. The end result
      is a long list (at Endless we counted 11) of Asus laptop models where
      the display toggle hotkey does not perform any action. Our firmware
      engineers contacts at Asus were surprised that there were still machines
      out there with the old behavior.
      
      Calling WMNB(ASUS_WMI_DEVID_BACKLIGHT==0x00050011, 2) on the _WDG device
      tells the firmware that it should let the OS handle the display toggle
      event, in which case it will simply notify the OS of a key press with
      0x35, as shown by the DSDT excerpts bellow.
      
       Scope (_SB)
       {
           (...)
      
           Device (ATKD)
           {
               (...)
      
               Name (_WDG, Buffer (0x28)
               {
                   /* 0000 */  0xD0, 0x5E, 0x84, 0x97, 0x6D, 0x4E, 0xDE, 0x11,
                   /* 0008 */  0x8A, 0x39, 0x08, 0x00, 0x20, 0x0C, 0x9A, 0x66,
                   /* 0010 */  0x4E, 0x42, 0x01, 0x02, 0x35, 0xBB, 0x3C, 0x0B,
                   /* 0018 */  0xC2, 0xE3, 0xED, 0x45, 0x91, 0xC2, 0x4C, 0x5A,
                   /* 0020 */  0x6D, 0x19, 0x5D, 0x1C, 0xFF, 0x00, 0x01, 0x08
               })
               Method (WMNB, 3, Serialized)
               {
                   CreateDWordField (Arg2, Zero, IIA0)
                   CreateDWordField (Arg2, 0x04, IIA1)
                   Local0 = (Arg1 & 0xFFFFFFFF)
      
                   (...)
      
                   If ((Local0 == 0x53564544))
                   {
                       (...)
      
                       If ((IIA0 == 0x00050011))
                       {
                           If ((IIA1 == 0x02))
                           {
                               ^^PCI0.SBRG.EC0.SPIN (0x72, One)
                               ^^PCI0.SBRG.EC0.BLCT = One
                           }
      
                           Return (One)
                       }
                   }
                   (...)
               }
               (...)
           }
           (...)
       }
       (...)
      
       Scope (_SB.PCI0.SBRG.EC0)
       {
           (...)
      
           Name (BLCT, Zero)
      
           (...)
      
           Method (_Q10, 0, NotSerialized)  // _Qxx: EC Query
           {
               If ((BLCT == Zero))
               {
                   Local0 = One
                   Local0 = RPIN (0x72)
                   Local0 ^= One
                   SPIN (0x72, Local0)
                   If (ATKP)
                   {
                       Local0 = (0x34 - Local0)
                       ^^^^ATKD.IANE (Local0)
                   }
               }
               ElseIf ((BLCT == One))
               {
                   If (ATKP)
                   {
                       ^^^^ATKD.IANE (0x35)
                   }
               }
           }
           (...)
       }
      Signed-off-by: default avatarJoão Paulo Rechi Vita <jprvita@endlessm.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      423c2148
    • David Ahern's avatar
      ipv6: Take rcu_read_lock in __inet6_bind for mapped addresses · 563cd69a
      David Ahern authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit d4a7e9bb ]
      
      I realized the last patch calls dev_get_by_index_rcu in a branch not
      holding the rcu lock. Add the calls to rcu_read_lock and rcu_read_unlock.
      
      Fixes: ec90ad33 ("ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      563cd69a
    • David Ahern's avatar
      ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address · 8547ebf0
      David Ahern authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit ec90ad33 ]
      
      Similar to c5ee0663 ("ipv6: Consider sk_bound_dev_if when binding a
      socket to an address"), binding a socket to v4 mapped addresses needs to
      consider if the socket is bound to a device.
      
      This problem also exists from the beginning of git history.
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8547ebf0
    • Kai-Heng Feng's avatar
      r8169: Add support for new Realtek Ethernet · 4cf6ff6a
      Kai-Heng Feng authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 36352991 ]
      
      There are two new Realtek Ethernet devices which are re-branded r8168h.
      Add the IDs to to support them.
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Reviewed-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      4cf6ff6a
    • Mauro Carvalho Chehab's avatar
      media: vb2: be sure to unlock mutex on errors · bcd3bf76
      Mauro Carvalho Chehab authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit c06ef2e9 upstream.
      
      As reported by smatch:
      drivers/media/common/videobuf2/videobuf2-core.c: drivers/media/common/videobuf2/videobuf2-core.c:2159 vb2_mmap() warn: inconsistent returns 'mutex:&q->mmap_lock'.
        Locked on:   line 2148
        Unlocked on: line 2100
                     line 2108
                     line 2113
                     line 2118
                     line 2156
                     line 2159
      
      There is one error condition that doesn't unlock a mutex.
      
      Fixes: cd26d1c4 ("media: vb2: vb2_mmap: move lock up")
      Reviewed-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      bcd3bf76
    • Ivan Mironov's avatar
      drm/fb-helper: Ignore the value of fb_var_screeninfo.pixclock · 38cb54cf
      Ivan Mironov authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 66a8d5bf upstream.
      
      Strict requirement of pixclock to be zero breaks support of SDL 1.2
      which contains hardcoded table of supported video modes with non-zero
      pixclock values[1].
      
      To better understand which pixclock values are considered valid and how
      driver should handle these values, I briefly examined few existing fbdev
      drivers and documentation in Documentation/fb/. And it looks like there
      are no strict rules on that and actual behaviour varies:
      
      	* some drivers treat (pixclock == 0) as "use defaults" (uvesafb.c);
      	* some treat (pixclock == 0) as invalid value which leads to
      	  -EINVAL (clps711x-fb.c);
      	* some pass converted pixclock value to hardware (uvesafb.c);
      	* some are trying to find nearest value from predefined table
                (vga16fb.c, video_gx.c).
      
      Given this, I believe that it should be safe to just ignore this value if
      changing is not supported. It seems that any portable fbdev application
      which was not written only for one specific device working under one
      specific kernel version should not rely on any particular behaviour of
      pixclock anyway.
      
      However, while enabling SDL1 applications to work out of the box when
      there is no /etc/fb.modes with valid settings, this change affects the
      video mode choosing logic in SDL. Depending on current screen
      resolution, contents of /etc/fb.modes and resolution requested by
      application, this may lead to user-visible difference (not always):
      image will be displayed in a right way, but it will be aligned to the
      left instead of center. There is no "right behaviour" here as well, as
      emulated fbdev, opposing to old fbdev drivers, simply ignores any
      requsts of video mode changes with resolutions smaller than current.
      
      The easiest way to reproduce this problem is to install sdl-sopwith[2],
      remove /etc/fb.modes file if it exists, and then try to run sopwith
      from console without X. At least in Fedora 29, sopwith may be simply
      installed from standard repositories.
      
      [1] SDL 1.2.15 source code, src/video/fbcon/SDL_fbvideo.c, vesa_timings
      [2] http://sdl-sopwith.sourceforge.net/Signed-off-by: default avatarIvan Mironov <mironov.ivan@gmail.com>
      Cc: stable@vger.kernel.org
      Fixes: 79e53945 ("DRM: i915: add mode setting support")
      Fixes: 771fe6b9 ("drm/radeon: introduce kernel modesetting for radeon hardware")
      Fixes: 785b93ef ("drm/kms: move driver specific fb common code to helper functions (v2)")
      Signed-off-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190108072353.28078-3-mironov.ivan@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      38cb54cf
    • Tetsuo Handa's avatar
      loop: Fix double mutex_unlock(&loop_ctl_mutex) in loop_control_ioctl() · 45808be6
      Tetsuo Handa authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 628bd859 upstream.
      
      Commit 0a42e99b ("loop: Get rid of loop_index_mutex") forgot to
      remove mutex_unlock(&loop_ctl_mutex) from loop_control_ioctl() when
      replacing loop_index_mutex with loop_ctl_mutex.
      
      Fixes: 0a42e99b ("loop: Get rid of loop_index_mutex")
      Reported-by: default avatarsyzbot <syzbot+c0138741c2290fc5e63f@syzkaller.appspotmail.com>
      Reviewed-by: default avatarMing Lei <ming.lei@redhat.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      45808be6
    • Jan Kara's avatar
      loop: Get rid of loop_index_mutex · af08a6f1
      Jan Kara authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 0a42e99b upstream.
      
      Now that loop_ctl_mutex is global, just get rid of loop_index_mutex as
      there is no good reason to keep these two separate and it just
      complicates the locking.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      af08a6f1
    • Jan Kara's avatar
      loop: Fold __loop_release into loop_release · 22c44adf
      Jan Kara authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 967d1dc1 upstream.
      
      __loop_release() has a single call site. Fold it there. This is
      currently not a huge win but it will make following replacement of
      loop_index_mutex more obvious.
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      22c44adf
    • Tetsuo Handa's avatar
      block/loop: Use global lock for ioctl() operation. · c67b942b
      Tetsuo Handa authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 310ca162 upstream.
      
      syzbot is reporting NULL pointer dereference [1] which is caused by
      race condition between ioctl(loop_fd, LOOP_CLR_FD, 0) versus
      ioctl(other_loop_fd, LOOP_SET_FD, loop_fd) due to traversing other
      loop devices at loop_validate_file() without holding corresponding
      lo->lo_ctl_mutex locks.
      
      Since ioctl() request on loop devices is not frequent operation, we don't
      need fine grained locking. Let's use global lock in order to allow safe
      traversal at loop_validate_file().
      
      Note that syzbot is also reporting circular locking dependency between
      bdev->bd_mutex and lo->lo_ctl_mutex [2] which is caused by calling
      blkdev_reread_part() with lock held. This patch does not address it.
      
      [1] https://syzkaller.appspot.com/bug?id=f3cfe26e785d85f9ee259f385515291d21bd80a3
      [2] https://syzkaller.appspot.com/bug?id=bf154052f0eea4bc7712499e4569505907d15889Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+bf89c128e05dd6c62523@syzkaller.appspotmail.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c67b942b
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_doit · 001c9e59
      Ying Xue authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 2753ca5d upstream.
      
      BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
      CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
       tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153
       genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
       genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
       netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
       netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
       netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x43fda9
      RSP: 002b:00007ffd0c184ba8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9
      RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000004002c8 R11: 0000000000000213 R12: 00000000004016d0
      R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
       slab_post_alloc_hook mm/slab.h:445 [inline]
       slab_alloc_node mm/slub.c:2737 [inline]
       __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:984 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
       netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      In tipc_nl_compat_recv(), when the len variable returned by
      nlmsg_attrlen() is 0, the message is still treated as a valid one,
      which is obviously unresonable. When len is zero, it means the
      message not only doesn't contain any valid TLV payload, but also
      TLV header is not included. Under this stituation, tlv_type field
      in TLV header is still accessed in tipc_nl_compat_dumpit() or
      tipc_nl_compat_doit(), but the field space is obviously illegal.
      Of course, it is not initialized.
      
      Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com
      Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      001c9e59
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_name_table_dump · 8f87e64b
      Ying Xue authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 974cb0e3 upstream.
      
      syzbot reported:
      
      BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
      BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
      BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
      CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x306/0x460 lib/dump_stack.c:113
       kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
       __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
       __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
       __fswab32 include/uapi/linux/swab.h:59 [inline]
       tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
       __tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205
       tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270
       tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline]
       tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffecec49318 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
      R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
       kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
       kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2727 [inline]
       __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:996 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
       netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      We cannot take for granted the thing that the length of data contained
      in TLV is longer than the size of struct tipc_name_table_query in
      tipc_nl_compat_name_table_dump().
      
      Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      8f87e64b
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_link_set · 41206fa0
      Ying Xue authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit edf5ff04 upstream.
      
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
      CPU: 1 PID: 9306 Comm: syz-executor172 Not tainted 4.20.0-rc7+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x173/0x1d0 lib/dump_stack.c:113
        kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
        __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
        strlen+0x3b/0xa0 lib/string.c:486
        nla_put_string include/net/netlink.h:1154 [inline]
        __tipc_nl_compat_link_set net/tipc/netlink_compat.c:708 [inline]
        tipc_nl_compat_link_set+0x929/0x1220 net/tipc/netlink_compat.c:744
        __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
        tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
        tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
        genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
        genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
        netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
        netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
        netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
        netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:621 [inline]
        sock_sendmsg net/socket.c:631 [inline]
        ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
        __sys_sendmsg net/socket.c:2154 [inline]
        __do_sys_sendmsg net/socket.c:2163 [inline]
        __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
        __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
        do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
        entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The uninitialised access happened in
          nla_put_string(skb, TIPC_NLA_LINK_NAME, lc->name)
      
      This is because lc->name string is not validated before it's used.
      
      Reported-by: syzbot+d78b8a29241a195aefb8@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      41206fa0
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_bearer_enable · 98426363
      Ying Xue authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 0762216c upstream.
      
      syzbot reported:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484
      CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x306/0x460 lib/dump_stack.c:113
       kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
       __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
       strlen+0x3b/0xa0 lib/string.c:484
       nla_put_string include/net/netlink.h:1011 [inline]
       tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389
       __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
       tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344
       tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
      R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
       kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
       kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2727 [inline]
       __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:996 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
       netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The root cause is that we don't validate whether bear name is a valid
      string in tipc_nl_compat_bearer_enable().
      
      Meanwhile, we also fix the same issue in the following functions:
      tipc_nl_compat_bearer_disable()
      tipc_nl_compat_link_stat_dump()
      tipc_nl_compat_media_set()
      tipc_nl_compat_bearer_set()
      
      Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      98426363
    • Ying Xue's avatar
      tipc: fix uninit-value in tipc_nl_compat_link_reset_stats · 0e3fcc89
      Ying Xue authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 8b66fee7 upstream.
      
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
      CPU: 1 PID: 11057 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
       __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
       strlen+0x3b/0xa0 lib/string.c:486
       nla_put_string include/net/netlink.h:1154 [inline]
       tipc_nl_compat_link_reset_stats+0x1f0/0x360 net/tipc/netlink_compat.c:760
       __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
       tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
       tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
       tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x457ec9
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f2557338c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f25573396d4
      R13: 00000000004cb478 R14: 00000000004d86c8 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
       kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
       kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
       kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2759 [inline]
       __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
       __kmalloc_reserve net/core/skbuff.c:137 [inline]
       __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
       alloc_skb include/linux/skbuff.h:998 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
       netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The uninitialised access happened in tipc_nl_compat_link_reset_stats:
          nla_put_string(skb, TIPC_NLA_LINK_NAME, name)
      
      This is because name string is not validated before it's used.
      
      Reported-by: syzbot+e01d94b5a4c266be6e4c@syzkaller.appspotmail.com
      Signed-off-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      0e3fcc89
    • Xin Long's avatar
      sctp: allocate sctp_sockaddr_entry with kzalloc · 857ee4c2
      Xin Long authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 400b8b9a upstream.
      
      The similar issue as fixed in Commit 4a2eb0c3 ("sctp: initialize
      sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
      in sctp_inetaddr_event, as Alexander noticed.
      
      To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
      ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().
      Reported-by: default avatarAlexander Potapenko <glider@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      857ee4c2
    • Stephen Smalley's avatar
      selinux: fix GPF on invalid policy · 1ae2cb85
      Stephen Smalley authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 5b0e7310 upstream.
      
      levdatum->level can be NULL if we encounter an error while loading
      the policy during sens_read prior to initializing it.  Make sure
      sens_destroy handles that case correctly.
      
      Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
      Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      1ae2cb85
    • J. Bruce Fields's avatar
      sunrpc: handle ENOMEM in rpcb_getport_async · ec1fc58b
      J. Bruce Fields authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 81c88b18 upstream.
      
      If we ignore the error we'll hit a null dereference a little later.
      
      Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      ec1fc58b
    • Hans Verkuil's avatar
      media: vb2: vb2_mmap: move lock up · b4b4be2a
      Hans Verkuil authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit cd26d1c4 upstream.
      
      If a filehandle is dup()ped, then it is possible to close it from one fd
      and call mmap from the other. This creates a race condition in vb2_mmap
      where it is using queue data that __vb2_queue_free (called from close())
      is in the process of releasing.
      
      By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
      since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
      now reads consistent buffer data.
      Signed-off-by: default avatarHans Verkuil <hverkuil@xs4all.nl>
      Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com
      Signed-off-by: default avatarHans Verkuil <hansverk@cisco.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      b4b4be2a
    • James Morris's avatar
      LSM: Check for NULL cred-security on free · b29cb291
      James Morris authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit a5795fd3 upstream.
      
      From: Casey Schaufler <casey@schaufler-ca.com>
      
      Check that the cred security blob has been set before trying
      to clean it up. There is a case during credential initialization
      that could result in this.
      Signed-off-by: default avatarCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: default avatarJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      Reported-by: syzbot+69ca07954461f189e808@syzkaller.appspotmail.com
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      b29cb291
    • Hans Verkuil's avatar
      media: vivid: set min width/height to a value > 0 · 3a3e1572
      Hans Verkuil authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 9729d6d2 upstream.
      
      The capture DV timings capabilities allowed for a minimum width and
      height of 0. So passing a timings struct with 0 values is allowed
      and will later cause a division by zero.
      
      Ensure that the width and height must be >= 16 to avoid this.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+57c3d83d71187054d56f@syzkaller.appspotmail.com
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      3a3e1572
    • Hans Verkuil's avatar
      media: vivid: fix error handling of kthread_run · 5d64b0d8
      Hans Verkuil authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 701f49bc upstream.
      
      kthread_run returns an error pointer, but elsewhere in the code
      dev->kthread_vid_cap/out is checked against NULL.
      
      If kthread_run returns an error, then set the pointer to NULL.
      
      I chose this method over changing all kthread_vid_cap/out tests
      elsewhere since this is more robust.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+53d5b2df0d9744411e2e@syzkaller.appspotmail.com
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      5d64b0d8
    • Vlad Tsyrklevich's avatar
      omap2fb: Fix stack memory disclosure · e9142c9e
      Vlad Tsyrklevich authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit a01421e4 upstream.
      
      Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
      OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
      cases could all leak uninitialized stack memory--either due to
      uninitialized padding or 'reserved' fields.
      
      Fix them by clearing the shared union used to store copied out data.
      
      [1] https://github.com/vlad902/kernel-uninitialized-memory-checkerSigned-off-by: default avatarVlad Tsyrklevich <vlad@tsyrklevich.net>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Fixes: b39a982d ("OMAP: DSS2: omapfb driver")
      Cc: security@kernel.org
      [b.zolnierkie: prefix patch subject with "omap2fb: "]
      Signed-off-by: default avatarBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      e9142c9e
    • YunQiang Su's avatar
      Disable MSI also when pcie-octeon.pcie_disable on · 809663bf
      YunQiang Su authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit a214720c upstream.
      
      Octeon has an boot-time option to disable pcie.
      
      Since MSI depends on PCI-E, we should also disable MSI also with
      this option is on in order to avoid inadvertently accessing PCIe
      registers.
      Signed-off-by: default avatarYunQiang Su <ysu@wavecomp.com>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Cc: pburton@wavecomp.com
      Cc: linux-mips@vger.kernel.org
      Cc: aaro.koskinen@iki.fi
      Cc: stable@vger.kernel.org # v3.3+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      809663bf
    • Jonathan Hunter's avatar
      mfd: tps6586x: Handle interrupts on suspend · a456923f
      Jonathan Hunter authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit ac4ca4b9 upstream.
      
      The tps6586x driver creates an irqchip that is used by its various child
      devices for managing interrupts. The tps6586x-rtc device is one of its
      children that uses the tps6586x irqchip. When using the tps6586x-rtc as
      a wake-up device from suspend, the following is seen:
      
       PM: Syncing filesystems ... done.
       Freezing user space processes ... (elapsed 0.001 seconds) done.
       OOM killer disabled.
       Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done.
       Disabling non-boot CPUs ...
       Entering suspend state LP1
       Enabling non-boot CPUs ...
       CPU1 is up
       tps6586x 3-0034: failed to read interrupt status
       tps6586x 3-0034: failed to read interrupt status
      
      The reason why the tps6586x interrupt status cannot be read is because
      the tps6586x interrupt is not masked during suspend and when the
      tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is
      seen before the i2c controller has been resumed in order to read the
      tps6586x interrupt status.
      
      The tps6586x-rtc driver sets it's interrupt as a wake-up source during
      suspend, which gets propagated to the parent tps6586x interrupt.
      However, the tps6586x-rtc driver cannot disable it's interrupt during
      suspend otherwise we would never be woken up and so the tps6586x must
      disable it's interrupt instead.
      
      Prevent the tps6586x interrupt handler from executing on exiting suspend
      before the i2c controller has been resumed by disabling the tps6586x
      interrupt on entering suspend and re-enabling it on resuming from
      suspend.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Reviewed-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Tested-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Acked-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      a456923f
    • Arnd Bergmann's avatar
      mips: fix n32 compat_ipc_parse_version · 1bf2b4f2
      Arnd Bergmann authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 5a9372f7 upstream.
      
      While reading through the sysvipc implementation, I noticed that the n32
      semctl/shmctl/msgctl system calls behave differently based on whether
      o32 support is enabled or not: Without o32, the IPC_64 flag passed by
      user space is rejected but calls without that flag get IPC_64 behavior.
      
      As far as I can tell, this was inadvertently changed by a cleanup patch
      but never noticed by anyone, possibly nobody has tried using sysvipc
      on n32 after linux-3.19.
      
      Change it back to the old behavior now.
      
      Fixes: 78aaf956 ("MIPS: Compat: Fix build error if CONFIG_MIPS32_COMPAT but no compat ABI.")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Cc: linux-mips@vger.kernel.org
      Cc: stable@vger.kernel.org # 3.19+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      1bf2b4f2
    • Ivan Mironov's avatar
      scsi: sd: Fix cache_type_store() · 54734999
      Ivan Mironov authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 44759979 upstream.
      
      Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may
      fail if device responds to MODE SENSE command with DPOFUA flag set, and
      then checks this flag to be not set on MODE SELECT command.
      
      In this scenario, when trying to change cache_type, write always fails:
      
      	# echo "none" >cache_type
      	bash: echo: write error: Invalid argument
      
      And following appears in dmesg:
      
      	[13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current]
      	[13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list
      
      From SBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC
      PARAMETER field in the mode parameter header:
      	...
      	The write protect (WP) bit for mode data sent with a MODE SELECT
      	command shall be ignored by the device server.
      	...
      	The DPOFUA bit is reserved for mode data sent with a MODE SELECT
      	command.
      	...
      
      The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved
      and shall be set to zero.
      
      [mkp: shuffled commentary to commit description]
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarIvan Mironov <mironov.ivan@gmail.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      54734999
    • Kees Cook's avatar
      Yama: Check for pid death before checking ancestry · c5fd8a79
      Kees Cook authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 9474f4e7 upstream.
      
      It's possible that a pid has died before we take the rcu lock, in which
      case we can't walk the ancestry list as it may be detached. Instead, check
      for death first before doing the walk.
      
      Reported-by: syzbot+a9ac39bf55329e206219@syzkaller.appspotmail.com
      Fixes: 2d514487 ("security: Yama LSM")
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarOleg Nesterov <oleg@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarJames Morris <james.morris@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      c5fd8a79
    • Josef Bacik's avatar
      btrfs: wait on ordered extents on abort cleanup · 5f0b537d
      Josef Bacik authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 74d5d229 upstream.
      
      If we flip read-only before we initiate writeback on all dirty pages for
      ordered extents we've created then we'll have ordered extents left over
      on umount, which results in all sorts of bad things happening.  Fix this
      by making sure we wait on ordered extents if we have to do the aborted
      transaction cleanup stuff.
      
      generic/475 can produce this warning:
      
       [ 8531.177332] WARNING: CPU: 2 PID: 11997 at fs/btrfs/disk-io.c:3856 btrfs_free_fs_root+0x95/0xa0 [btrfs]
       [ 8531.183282] CPU: 2 PID: 11997 Comm: umount Tainted: G        W 5.0.0-rc1-default+ #394
       [ 8531.185164] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),BIOS rel-1.11.2-0-gf9626cc-prebuilt.qemu-project.org 04/01/2014
       [ 8531.187851] RIP: 0010:btrfs_free_fs_root+0x95/0xa0 [btrfs]
       [ 8531.193082] RSP: 0018:ffffb1ab86163d98 EFLAGS: 00010286
       [ 8531.194198] RAX: ffff9f3449494d18 RBX: ffff9f34a2695000 RCX:0000000000000000
       [ 8531.195629] RDX: 0000000000000002 RSI: 0000000000000001 RDI:0000000000000000
       [ 8531.197315] RBP: ffff9f344e930000 R08: 0000000000000001 R09:0000000000000000
       [ 8531.199095] R10: 0000000000000000 R11: ffff9f34494d4ff8 R12:ffffb1ab86163dc0
       [ 8531.200870] R13: ffff9f344e9300b0 R14: ffffb1ab86163db8 R15:0000000000000000
       [ 8531.202707] FS:  00007fc68e949fc0(0000) GS:ffff9f34bd800000(0000)knlGS:0000000000000000
       [ 8531.204851] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       [ 8531.205942] CR2: 00007ffde8114dd8 CR3: 000000002dfbd000 CR4:00000000000006e0
       [ 8531.207516] Call Trace:
       [ 8531.208175]  btrfs_free_fs_roots+0xdb/0x170 [btrfs]
       [ 8531.210209]  ? wait_for_completion+0x5b/0x190
       [ 8531.211303]  close_ctree+0x157/0x350 [btrfs]
       [ 8531.212412]  generic_shutdown_super+0x64/0x100
       [ 8531.213485]  kill_anon_super+0x14/0x30
       [ 8531.214430]  btrfs_kill_super+0x12/0xa0 [btrfs]
       [ 8531.215539]  deactivate_locked_super+0x29/0x60
       [ 8531.216633]  cleanup_mnt+0x3b/0x70
       [ 8531.217497]  task_work_run+0x98/0xc0
       [ 8531.218397]  exit_to_usermode_loop+0x83/0x90
       [ 8531.219324]  do_syscall_64+0x15b/0x180
       [ 8531.220192]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
       [ 8531.221286] RIP: 0033:0x7fc68e5e4d07
       [ 8531.225621] RSP: 002b:00007ffde8116608 EFLAGS: 00000246 ORIG_RAX:00000000000000a6
       [ 8531.227512] RAX: 0000000000000000 RBX: 00005580c2175970 RCX:00007fc68e5e4d07
       [ 8531.229098] RDX: 0000000000000001 RSI: 0000000000000000 RDI:00005580c2175b80
       [ 8531.230730] RBP: 0000000000000000 R08: 00005580c2175ba0 R09:00007ffde8114e80
       [ 8531.232269] R10: 0000000000000000 R11: 0000000000000246 R12:00005580c2175b80
       [ 8531.233839] R13: 00007fc68eac61c4 R14: 00005580c2175a68 R15:0000000000000000
      
      Leaving a tree in the rb-tree:
      
      3853 void btrfs_free_fs_root(struct btrfs_root *root)
      3854 {
      3855         iput(root->ino_cache_inode);
      3856         WARN_ON(!RB_EMPTY_ROOT(&root->inode_tree));
      
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Signed-off-by: default avatarJosef Bacik <josef@toxicpanda.com>
      [ add stacktrace ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      5f0b537d
    • Eric Biggers's avatar
      crypto: authenc - fix parsing key with misaligned rta_len · ac90a423
      Eric Biggers authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit 8f9c4693 upstream.
      
      Keys for "authenc" AEADs are formatted as an rtattr containing a 4-byte
      'enckeylen', followed by an authentication key and an encryption key.
      crypto_authenc_extractkeys() parses the key to find the inner keys.
      
      However, it fails to consider the case where the rtattr's payload is
      longer than 4 bytes but not 4-byte aligned, and where the key ends
      before the next 4-byte aligned boundary.  In this case, 'keylen -=
      RTA_ALIGN(rta->rta_len);' underflows to a value near UINT_MAX.  This
      causes a buffer overread and crash during crypto_ahash_setkey().
      
      Fix it by restricting the rtattr payload to the expected size.
      
      Reproducer using AF_ALG:
      
      	#include <linux/if_alg.h>
      	#include <linux/rtnetlink.h>
      	#include <sys/socket.h>
      
      	int main()
      	{
      		int fd;
      		struct sockaddr_alg addr = {
      			.salg_type = "aead",
      			.salg_name = "authenc(hmac(sha256),cbc(aes))",
      		};
      		struct {
      			struct rtattr attr;
      			__be32 enckeylen;
      			char keys[1];
      		} __attribute__((packed)) key = {
      			.attr.rta_len = sizeof(key),
      			.attr.rta_type = 1 /* CRYPTO_AUTHENC_KEYA_PARAM */,
      		};
      
      		fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
      		bind(fd, (void *)&addr, sizeof(addr));
      		setsockopt(fd, SOL_ALG, ALG_SET_KEY, &key, sizeof(key));
      	}
      
      It caused:
      
      	BUG: unable to handle kernel paging request at ffff88007ffdc000
      	PGD 2e01067 P4D 2e01067 PUD 2e04067 PMD 2e05067 PTE 0
      	Oops: 0000 [#1] SMP
      	CPU: 0 PID: 883 Comm: authenc Not tainted 4.20.0-rc1-00108-g00c9fe37 #13
      	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-20181126_142135-anatol 04/01/2014
      	RIP: 0010:sha256_ni_transform+0xb3/0x330 arch/x86/crypto/sha256_ni_asm.S:155
      	[...]
      	Call Trace:
      	 sha256_ni_finup+0x10/0x20 arch/x86/crypto/sha256_ssse3_glue.c:321
      	 crypto_shash_finup+0x1a/0x30 crypto/shash.c:178
      	 shash_digest_unaligned+0x45/0x60 crypto/shash.c:186
      	 crypto_shash_digest+0x24/0x40 crypto/shash.c:202
      	 hmac_setkey+0x135/0x1e0 crypto/hmac.c:66
      	 crypto_shash_setkey+0x2b/0xb0 crypto/shash.c:66
      	 shash_async_setkey+0x10/0x20 crypto/shash.c:223
      	 crypto_ahash_setkey+0x2d/0xa0 crypto/ahash.c:202
      	 crypto_authenc_setkey+0x68/0x100 crypto/authenc.c:96
      	 crypto_aead_setkey+0x2a/0xc0 crypto/aead.c:62
      	 aead_setkey+0xc/0x10 crypto/algif_aead.c:526
      	 alg_setkey crypto/af_alg.c:223 [inline]
      	 alg_setsockopt+0xfe/0x130 crypto/af_alg.c:256
      	 __sys_setsockopt+0x6d/0xd0 net/socket.c:1902
      	 __do_sys_setsockopt net/socket.c:1913 [inline]
      	 __se_sys_setsockopt net/socket.c:1910 [inline]
      	 __x64_sys_setsockopt+0x1f/0x30 net/socket.c:1910
      	 do_syscall_64+0x4a/0x180 arch/x86/entry/common.c:290
      	 entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: e236d4a8 ("[CRYPTO] authenc: Move enckeylen into key itself")
      Cc: <stable@vger.kernel.org> # v2.6.25+
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      ac90a423
    • Harsh Jain's avatar
      crypto: authencesn - Avoid twice completion call in decrypt path · 6faafeea
      Harsh Jain authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      commit a7773363 upstream.
      
      Authencesn template in decrypt path unconditionally calls aead_request_complete
      after ahash_verify which leads to following kernel panic in after decryption.
      
      [  338.539800] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
      [  338.548372] PGD 0 P4D 0
      [  338.551157] Oops: 0000 [#1] SMP PTI
      [  338.554919] CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Tainted: G        W I       4.19.7+ #13
      [  338.564431] Hardware name: Supermicro X8ST3/X8ST3, BIOS 2.0        07/29/10
      [  338.572212] RIP: 0010:esp_input_done2+0x350/0x410 [esp4]
      [  338.578030] Code: ff 0f b6 68 10 48 8b 83 c8 00 00 00 e9 8e fe ff ff 8b 04 25 04 00 00 00 83 e8 01 48 98 48 8b 3c c5 10 00 00 00 e9 f7 fd ff ff <8b> 04 25 04 00 00 00 83 e8 01 48 98 4c 8b 24 c5 10 00 00 00 e9 3b
      [  338.598547] RSP: 0018:ffff911c97803c00 EFLAGS: 00010246
      [  338.604268] RAX: 0000000000000002 RBX: ffff911c4469ee00 RCX: 0000000000000000
      [  338.612090] RDX: 0000000000000000 RSI: 0000000000000130 RDI: ffff911b87c20400
      [  338.619874] RBP: 0000000000000000 R08: ffff911b87c20498 R09: 000000000000000a
      [  338.627610] R10: 0000000000000001 R11: 0000000000000004 R12: 0000000000000000
      [  338.635402] R13: ffff911c89590000 R14: ffff911c91730000 R15: 0000000000000000
      [  338.643234] FS:  0000000000000000(0000) GS:ffff911c97800000(0000) knlGS:0000000000000000
      [  338.652047] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  338.658299] CR2: 0000000000000004 CR3: 00000001ec20a000 CR4: 00000000000006f0
      [  338.666382] Call Trace:
      [  338.669051]  <IRQ>
      [  338.671254]  esp_input_done+0x12/0x20 [esp4]
      [  338.675922]  chcr_handle_resp+0x3b5/0x790 [chcr]
      [  338.680949]  cpl_fw6_pld_handler+0x37/0x60 [chcr]
      [  338.686080]  chcr_uld_rx_handler+0x22/0x50 [chcr]
      [  338.691233]  uldrx_handler+0x8c/0xc0 [cxgb4]
      [  338.695923]  process_responses+0x2f0/0x5d0 [cxgb4]
      [  338.701177]  ? bitmap_find_next_zero_area_off+0x3a/0x90
      [  338.706882]  ? matrix_alloc_area.constprop.7+0x60/0x90
      [  338.712517]  ? apic_update_irq_cfg+0x82/0xf0
      [  338.717177]  napi_rx_handler+0x14/0xe0 [cxgb4]
      [  338.722015]  net_rx_action+0x2aa/0x3e0
      [  338.726136]  __do_softirq+0xcb/0x280
      [  338.730054]  irq_exit+0xde/0xf0
      [  338.733504]  do_IRQ+0x54/0xd0
      [  338.736745]  common_interrupt+0xf/0xf
      
      Fixes: 104880a6 ("crypto: authencesn - Convert to new AEAD...")
      Signed-off-by: default avatarHarsh Jain <harsh@chelsio.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      6faafeea
    • Willem de Bruijn's avatar
      ip: on queued skb use skb_header_pointer instead of pskb_may_pull · 83aeb077
      Willem de Bruijn authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 4a06fa67 ]
      
      Commit 2efd4fca ("ip: in cmsg IP(V6)_ORIGDSTADDR call
      pskb_may_pull") avoided a read beyond the end of the skb linear
      segment by calling pskb_may_pull.
      
      That function can trigger a BUG_ON in pskb_expand_head if the skb is
      shared, which it is when when peeking. It can also return ENOMEM.
      
      Avoid both by switching to safer skb_header_pointer.
      
      Fixes: 2efd4fca ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      83aeb077
    • Jason Gunthorpe's avatar
      packet: Do not leak dev refcounts on error exit · 230f07cf
      Jason Gunthorpe authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit d972f3dc ]
      
      'dev' is non NULL when the addr_len check triggers so it must goto a label
      that does the dev_put otherwise dev will have a leaked refcount.
      
      This bug causes the ib_ipoib module to become unloadable when using
      systemd-network as it triggers this check on InfiniBand links.
      
      Fixes: 99137b78 ("packet: validate address length")
      Reported-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      230f07cf
    • JianJhen Chen's avatar
      net: bridge: fix a bug on using a neighbour cache entry without checking its state · af7b91f0
      JianJhen Chen authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 4c84edc1 ]
      
      When handling DNAT'ed packets on a bridge device, the neighbour cache entry
      from lookup was used without checking its state. It means that a cache entry
      in the NUD_STALE state will be used directly instead of entering the NUD_DELAY
      state to confirm the reachability of the neighbor.
      
      This problem becomes worse after commit 2724680b ("neigh: Keep neighbour
      cache entries if number of them is small enough."), since all neighbour cache
      entries in the NUD_STALE state will be kept in the neighbour table as long as
      the number of cache entries does not exceed the value specified in gc_thresh1.
      
      This commit validates the state of a neighbour cache entry before using
      the entry.
      Signed-off-by: default avatarJianJhen Chen <kchen@synology.com>
      Reviewed-by: default avatarJinLin Chen <jlchen@synology.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      af7b91f0
    • Eric Dumazet's avatar
      ipv6: fix kernel-infoleak in ipv6_local_error() · d72606a0
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1818797
      
      [ Upstream commit 7d033c9f ]
      
      This patch makes sure the flow label in the IPv6 header
      forged in ipv6_local_error() is initialized.
      
      BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
      CPU: 1 PID: 24675 Comm: syz-executor1 Not tainted 4.20.0-rc7+ #4
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
       kmsan_internal_check_memory+0x455/0xb00 mm/kmsan/kmsan.c:675
       kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
       _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
       copy_to_user include/linux/uaccess.h:177 [inline]
       move_addr_to_user+0x2e9/0x4f0 net/socket.c:227
       ___sys_recvmsg+0x5d7/0x1140 net/socket.c:2284
       __sys_recvmsg net/socket.c:2327 [inline]
       __do_sys_recvmsg net/socket.c:2337 [inline]
       __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
       __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x457ec9
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f8750c06c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
      RDX: 0000000000002000 RSI: 0000000020000400 RDI: 0000000000000005
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f8750c076d4
      R13: 00000000004c4a60 R14: 00000000004d8140 R15: 00000000ffffffff
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:219 [inline]
       kmsan_internal_chain_origin+0x134/0x230 mm/kmsan/kmsan.c:439
       __msan_chain_origin+0x70/0xe0 mm/kmsan/kmsan_instr.c:200
       ipv6_recv_error+0x1e3f/0x1eb0 net/ipv6/datagram.c:475
       udpv6_recvmsg+0x398/0x2ab0 net/ipv6/udp.c:335
       inet_recvmsg+0x4fb/0x600 net/ipv4/af_inet.c:830
       sock_recvmsg_nosec net/socket.c:794 [inline]
       sock_recvmsg+0x1d1/0x230 net/socket.c:801
       ___sys_recvmsg+0x4d5/0x1140 net/socket.c:2278
       __sys_recvmsg net/socket.c:2327 [inline]
       __do_sys_recvmsg net/socket.c:2337 [inline]
       __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
       __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
       kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
       kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
       kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2759 [inline]
       __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
       __kmalloc_reserve net/core/skbuff.c:137 [inline]
       __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
       alloc_skb include/linux/skbuff.h:998 [inline]
       ipv6_local_error+0x1a7/0x9e0 net/ipv6/datagram.c:334
       __ip6_append_data+0x129f/0x4fd0 net/ipv6/ip6_output.c:1311
       ip6_make_skb+0x6cc/0xcf0 net/ipv6/ip6_output.c:1775
       udpv6_sendmsg+0x3f8e/0x45d0 net/ipv6/udp.c:1384
       inet_sendmsg+0x54a/0x720 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       __sys_sendto+0x8c4/0xac0 net/socket.c:1788
       __do_sys_sendto net/socket.c:1800 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1796
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1796
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Bytes 4-7 of 28 are uninitialized
      Memory access of size 28 starts at ffff8881937bfce0
      Data copied to user address 0000000020000000
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
      Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
      d72606a0