1. 15 Sep, 2018 40 commits
    • Nikolay Aleksandrov's avatar
      sch_netem: avoid null pointer deref on init failure · 7a4eae7a
      Nikolay Aleksandrov authored
      commit 634576a1 upstream.
      
      netem can fail in ->init due to missing options (either not supplied by
      user-space or used as a default qdisc) causing a timer->base null
      pointer deref in its ->destroy() and ->reset() callbacks.
      
      Reproduce:
      $ sysctl net.core.default_qdisc=netem
      $ ip l set ethX up
      
      Crash log:
      [ 1814.846943] BUG: unable to handle kernel NULL pointer dereference at (null)
      [ 1814.847181] IP: hrtimer_active+0x17/0x8a
      [ 1814.847270] PGD 59c34067
      [ 1814.847271] P4D 59c34067
      [ 1814.847337] PUD 37374067
      [ 1814.847403] PMD 0
      [ 1814.847468]
      [ 1814.847582] Oops: 0000 [#1] SMP
      [ 1814.847655] Modules linked in: sch_netem(O) sch_fq_codel(O)
      [ 1814.847761] CPU: 3 PID: 1573 Comm: ip Tainted: G           O 4.13.0-rc6+ #62
      [ 1814.847884] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [ 1814.848043] task: ffff88003723a700 task.stack: ffff88005adc8000
      [ 1814.848235] RIP: 0010:hrtimer_active+0x17/0x8a
      [ 1814.848407] RSP: 0018:ffff88005adcb590 EFLAGS: 00010246
      [ 1814.848590] RAX: 0000000000000000 RBX: ffff880058e359d8 RCX: 0000000000000000
      [ 1814.848793] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880058e359d8
      [ 1814.848998] RBP: ffff88005adcb5b0 R08: 00000000014080c0 R09: 00000000ffffffff
      [ 1814.849204] R10: ffff88005adcb660 R11: 0000000000000020 R12: 0000000000000000
      [ 1814.849410] R13: ffff880058e359d8 R14: 00000000ffffffff R15: 0000000000000001
      [ 1814.849616] FS:  00007f733bbca740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
      [ 1814.849919] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1814.850107] CR2: 0000000000000000 CR3: 0000000059f0d000 CR4: 00000000000406e0
      [ 1814.850313] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1814.850518] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 1814.850723] Call Trace:
      [ 1814.850875]  hrtimer_try_to_cancel+0x1a/0x93
      [ 1814.851047]  hrtimer_cancel+0x15/0x20
      [ 1814.851211]  qdisc_watchdog_cancel+0x12/0x14
      [ 1814.851383]  netem_reset+0xe6/0xed [sch_netem]
      [ 1814.851561]  qdisc_destroy+0x8b/0xe5
      [ 1814.851723]  qdisc_create_dflt+0x86/0x94
      [ 1814.851890]  ? dev_activate+0x129/0x129
      [ 1814.852057]  attach_one_default_qdisc+0x36/0x63
      [ 1814.852232]  netdev_for_each_tx_queue+0x3d/0x48
      [ 1814.852406]  dev_activate+0x4b/0x129
      [ 1814.852569]  __dev_open+0xe7/0x104
      [ 1814.852730]  __dev_change_flags+0xc6/0x15c
      [ 1814.852899]  dev_change_flags+0x25/0x59
      [ 1814.853064]  do_setlink+0x30c/0xb3f
      [ 1814.853228]  ? check_chain_key+0xb0/0xfd
      [ 1814.853396]  ? check_chain_key+0xb0/0xfd
      [ 1814.853565]  rtnl_newlink+0x3a4/0x729
      [ 1814.853728]  ? rtnl_newlink+0x117/0x729
      [ 1814.853905]  ? ns_capable_common+0xd/0xb1
      [ 1814.854072]  ? ns_capable+0x13/0x15
      [ 1814.854234]  rtnetlink_rcv_msg+0x188/0x197
      [ 1814.854404]  ? rcu_read_unlock+0x3e/0x5f
      [ 1814.854572]  ? rtnl_newlink+0x729/0x729
      [ 1814.854737]  netlink_rcv_skb+0x6c/0xce
      [ 1814.854902]  rtnetlink_rcv+0x23/0x2a
      [ 1814.855064]  netlink_unicast+0x103/0x181
      [ 1814.855230]  netlink_sendmsg+0x326/0x337
      [ 1814.855398]  sock_sendmsg_nosec+0x14/0x3f
      [ 1814.855584]  sock_sendmsg+0x29/0x2e
      [ 1814.855747]  ___sys_sendmsg+0x209/0x28b
      [ 1814.855912]  ? do_raw_spin_unlock+0xcd/0xf8
      [ 1814.856082]  ? _raw_spin_unlock+0x27/0x31
      [ 1814.856251]  ? __handle_mm_fault+0x651/0xdb1
      [ 1814.856421]  ? check_chain_key+0xb0/0xfd
      [ 1814.856592]  __sys_sendmsg+0x45/0x63
      [ 1814.856755]  ? __sys_sendmsg+0x45/0x63
      [ 1814.856923]  SyS_sendmsg+0x19/0x1b
      [ 1814.857083]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [ 1814.857256] RIP: 0033:0x7f733b2dd690
      [ 1814.857419] RSP: 002b:00007ffe1d3387d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [ 1814.858238] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f733b2dd690
      [ 1814.858445] RDX: 0000000000000000 RSI: 00007ffe1d338820 RDI: 0000000000000003
      [ 1814.858651] RBP: ffff88005adcbf98 R08: 0000000000000001 R09: 0000000000000003
      [ 1814.858856] R10: 00007ffe1d3385a0 R11: 0000000000000246 R12: 0000000000000002
      [ 1814.859060] R13: 000000000066f1a0 R14: 00007ffe1d3408d0 R15: 0000000000000000
      [ 1814.859267]  ? trace_hardirqs_off_caller+0xa7/0xcf
      [ 1814.859446] Code: 10 55 48 89 c7 48 89 e5 e8 45 a1 fb ff 31 c0 5d c3
      31 c0 c3 66 66 66 66 90 55 48 89 e5 41 56 41 55 41 54 53 49 89 fd 49 8b
      45 30 <4c> 8b 20 41 8b 5c 24 38 31 c9 31 d2 48 c7 c7 50 8e 1d 82 41 89
      [ 1814.860022] RIP: hrtimer_active+0x17/0x8a RSP: ffff88005adcb590
      [ 1814.860214] CR2: 0000000000000000
      
      Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
      Fixes: 0fbbeb1b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a4eae7a
    • Nikolay Aleksandrov's avatar
      sch_hhf: fix null pointer dereference on init failure · 9dafa62c
      Nikolay Aleksandrov authored
      commit 32db864d upstream.
      
      If sch_hhf fails in its ->init() function (either due to wrong
      user-space arguments as below or memory alloc failure of hh_flows) it
      will do a null pointer deref of q->hh_flows in its ->destroy() function.
      
      To reproduce the crash:
      $ tc qdisc add dev eth0 root hhf quantum 2000000 non_hh_weight 10000000
      
      Crash log:
      [  690.654882] BUG: unable to handle kernel NULL pointer dereference at (null)
      [  690.655565] IP: hhf_destroy+0x48/0xbc
      [  690.655944] PGD 37345067
      [  690.655948] P4D 37345067
      [  690.656252] PUD 58402067
      [  690.656554] PMD 0
      [  690.656857]
      [  690.657362] Oops: 0000 [#1] SMP
      [  690.657696] Modules linked in:
      [  690.658032] CPU: 3 PID: 920 Comm: tc Not tainted 4.13.0-rc6+ #57
      [  690.658525] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [  690.659255] task: ffff880058578000 task.stack: ffff88005acbc000
      [  690.659747] RIP: 0010:hhf_destroy+0x48/0xbc
      [  690.660146] RSP: 0018:ffff88005acbf9e0 EFLAGS: 00010246
      [  690.660601] RAX: 0000000000000000 RBX: 0000000000000020 RCX: 0000000000000000
      [  690.661155] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffffffff821f63f0
      [  690.661710] RBP: ffff88005acbfa08 R08: ffffffff81b10a90 R09: 0000000000000000
      [  690.662267] R10: 00000000f42b7019 R11: ffff880058578000 R12: 00000000ffffffea
      [  690.662820] R13: ffff8800372f6400 R14: 0000000000000000 R15: 0000000000000000
      [  690.663769] FS:  00007f8ae5e8b740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
      [  690.667069] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  690.667965] CR2: 0000000000000000 CR3: 0000000058523000 CR4: 00000000000406e0
      [  690.668918] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  690.669945] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  690.671003] Call Trace:
      [  690.671743]  qdisc_create+0x377/0x3fd
      [  690.672534]  tc_modify_qdisc+0x4d2/0x4fd
      [  690.673324]  rtnetlink_rcv_msg+0x188/0x197
      [  690.674204]  ? rcu_read_unlock+0x3e/0x5f
      [  690.675091]  ? rtnl_newlink+0x729/0x729
      [  690.675877]  netlink_rcv_skb+0x6c/0xce
      [  690.676648]  rtnetlink_rcv+0x23/0x2a
      [  690.677405]  netlink_unicast+0x103/0x181
      [  690.678179]  netlink_sendmsg+0x326/0x337
      [  690.678958]  sock_sendmsg_nosec+0x14/0x3f
      [  690.679743]  sock_sendmsg+0x29/0x2e
      [  690.680506]  ___sys_sendmsg+0x209/0x28b
      [  690.681283]  ? __handle_mm_fault+0xc7d/0xdb1
      [  690.681915]  ? check_chain_key+0xb0/0xfd
      [  690.682449]  __sys_sendmsg+0x45/0x63
      [  690.682954]  ? __sys_sendmsg+0x45/0x63
      [  690.683471]  SyS_sendmsg+0x19/0x1b
      [  690.683974]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [  690.684516] RIP: 0033:0x7f8ae529d690
      [  690.685016] RSP: 002b:00007fff26d2d6b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  690.685931] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f8ae529d690
      [  690.686573] RDX: 0000000000000000 RSI: 00007fff26d2d700 RDI: 0000000000000003
      [  690.687047] RBP: ffff88005acbff98 R08: 0000000000000001 R09: 0000000000000000
      [  690.687519] R10: 00007fff26d2d480 R11: 0000000000000246 R12: 0000000000000002
      [  690.687996] R13: 0000000001258070 R14: 0000000000000001 R15: 0000000000000000
      [  690.688475]  ? trace_hardirqs_off_caller+0xa7/0xcf
      [  690.688887] Code: 00 00 e8 2a 02 ae ff 49 8b bc 1d 60 02 00 00 48 83
      c3 08 e8 19 02 ae ff 48 83 fb 20 75 dc 45 31 f6 4d 89 f7 4d 03 bd 20 02
      00 00 <49> 8b 07 49 39 c7 75 24 49 83 c6 10 49 81 fe 00 40 00 00 75 e1
      [  690.690200] RIP: hhf_destroy+0x48/0xbc RSP: ffff88005acbf9e0
      [  690.690636] CR2: 0000000000000000
      
      Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
      Fixes: 10239edf ("net-qdisc-hhf: Heavy-Hitter Filter (HHF) qdisc")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9dafa62c
    • Nikolay Aleksandrov's avatar
      sch_multiq: fix double free on init failure · 68858be0
      Nikolay Aleksandrov authored
      commit e89d469e upstream.
      
      The below commit added a call to ->destroy() on init failure, but multiq
      still frees ->queues on error in init, but ->queues is also freed by
      ->destroy() thus we get double free and corrupted memory.
      
      Very easy to reproduce (eth0 not multiqueue):
      $ tc qdisc add dev eth0 root multiq
      RTNETLINK answers: Operation not supported
      $ ip l add dumdum type dummy
      (crash)
      
      Trace log:
      [ 3929.467747] general protection fault: 0000 [#1] SMP
      [ 3929.468083] Modules linked in:
      [ 3929.468302] CPU: 3 PID: 967 Comm: ip Not tainted 4.13.0-rc6+ #56
      [ 3929.468625] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [ 3929.469124] task: ffff88003716a700 task.stack: ffff88005872c000
      [ 3929.469449] RIP: 0010:__kmalloc_track_caller+0x117/0x1be
      [ 3929.469746] RSP: 0018:ffff88005872f6a0 EFLAGS: 00010246
      [ 3929.470042] RAX: 00000000000002de RBX: 0000000058a59000 RCX: 00000000000002df
      [ 3929.470406] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffff821f7020
      [ 3929.470770] RBP: ffff88005872f6e8 R08: 000000000001f010 R09: 0000000000000000
      [ 3929.471133] R10: ffff88005872f730 R11: 0000000000008cdd R12: ff006d75646d7564
      [ 3929.471496] R13: 00000000014000c0 R14: ffff88005b403c00 R15: ffff88005b403c00
      [ 3929.471869] FS:  00007f0b70480740(0000) GS:ffff88005d980000(0000) knlGS:0000000000000000
      [ 3929.472286] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 3929.472677] CR2: 00007ffcee4f3000 CR3: 0000000059d45000 CR4: 00000000000406e0
      [ 3929.473209] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 3929.474109] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 3929.474873] Call Trace:
      [ 3929.475337]  ? kstrdup_const+0x23/0x25
      [ 3929.475863]  kstrdup+0x2e/0x4b
      [ 3929.476338]  kstrdup_const+0x23/0x25
      [ 3929.478084]  __kernfs_new_node+0x28/0xbc
      [ 3929.478478]  kernfs_new_node+0x35/0x55
      [ 3929.478929]  kernfs_create_link+0x23/0x76
      [ 3929.479478]  sysfs_do_create_link_sd.isra.2+0x85/0xd7
      [ 3929.480096]  sysfs_create_link+0x33/0x35
      [ 3929.480649]  device_add+0x200/0x589
      [ 3929.481184]  netdev_register_kobject+0x7c/0x12f
      [ 3929.481711]  register_netdevice+0x373/0x471
      [ 3929.482174]  rtnl_newlink+0x614/0x729
      [ 3929.482610]  ? rtnl_newlink+0x17f/0x729
      [ 3929.483080]  rtnetlink_rcv_msg+0x188/0x197
      [ 3929.483533]  ? rcu_read_unlock+0x3e/0x5f
      [ 3929.483984]  ? rtnl_newlink+0x729/0x729
      [ 3929.484420]  netlink_rcv_skb+0x6c/0xce
      [ 3929.484858]  rtnetlink_rcv+0x23/0x2a
      [ 3929.485291]  netlink_unicast+0x103/0x181
      [ 3929.485735]  netlink_sendmsg+0x326/0x337
      [ 3929.486181]  sock_sendmsg_nosec+0x14/0x3f
      [ 3929.486614]  sock_sendmsg+0x29/0x2e
      [ 3929.486973]  ___sys_sendmsg+0x209/0x28b
      [ 3929.487340]  ? do_raw_spin_unlock+0xcd/0xf8
      [ 3929.487719]  ? _raw_spin_unlock+0x27/0x31
      [ 3929.488092]  ? __handle_mm_fault+0x651/0xdb1
      [ 3929.488471]  ? check_chain_key+0xb0/0xfd
      [ 3929.488847]  __sys_sendmsg+0x45/0x63
      [ 3929.489206]  ? __sys_sendmsg+0x45/0x63
      [ 3929.489576]  SyS_sendmsg+0x19/0x1b
      [ 3929.489901]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [ 3929.490172] RIP: 0033:0x7f0b6fb93690
      [ 3929.490423] RSP: 002b:00007ffcee4ed588 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [ 3929.490881] RAX: ffffffffffffffda RBX: ffffffff810d278c RCX: 00007f0b6fb93690
      [ 3929.491198] RDX: 0000000000000000 RSI: 00007ffcee4ed5d0 RDI: 0000000000000003
      [ 3929.491521] RBP: ffff88005872ff98 R08: 0000000000000001 R09: 0000000000000000
      [ 3929.491801] R10: 00007ffcee4ed350 R11: 0000000000000246 R12: 0000000000000002
      [ 3929.492075] R13: 000000000066f1a0 R14: 00007ffcee4f5680 R15: 0000000000000000
      [ 3929.492352]  ? trace_hardirqs_off_caller+0xa7/0xcf
      [ 3929.492590] Code: 8b 45 c0 48 8b 45 b8 74 17 48 8b 4d c8 83 ca ff 44
      89 ee 4c 89 f7 e8 83 ca ff ff 49 89 c4 eb 49 49 63 56 20 48 8d 48 01 4d
      8b 06 <49> 8b 1c 14 48 89 c2 4c 89 e0 65 49 0f c7 08 0f 94 c0 83 f0 01
      [ 3929.493335] RIP: __kmalloc_track_caller+0x117/0x1be RSP: ffff88005872f6a0
      
      Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
      Fixes: f07d1501 ("multiq: Further multiqueue cleanup")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [AmitP: Removed unused variable 'err' in multiq_init()]
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68858be0
    • Nikolay Aleksandrov's avatar
      sch_htb: fix crash on init failure · 7edd04dd
      Nikolay Aleksandrov authored
      commit 88c2ace6 upstream.
      
      The commit below added a call to the ->destroy() callback for all qdiscs
      which failed in their ->init(), but some were not prepared for such
      change and can't handle partially initialized qdisc. HTB is one of them
      and if any error occurs before the qdisc watchdog timer and qdisc work are
      initialized then we can hit either a null ptr deref (timer->base) when
      canceling in ->destroy or lockdep error info about trying to register
      a non-static key and a stack dump. So to fix these two move the watchdog
      timer and workqueue init before anything that can err out.
      To reproduce userspace needs to send broken htb qdisc create request,
      tested with a modified tc (q_htb.c).
      
      Trace log:
      [ 2710.897602] BUG: unable to handle kernel NULL pointer dereference at (null)
      [ 2710.897977] IP: hrtimer_active+0x17/0x8a
      [ 2710.898174] PGD 58fab067
      [ 2710.898175] P4D 58fab067
      [ 2710.898353] PUD 586c0067
      [ 2710.898531] PMD 0
      [ 2710.898710]
      [ 2710.899045] Oops: 0000 [#1] SMP
      [ 2710.899232] Modules linked in:
      [ 2710.899419] CPU: 1 PID: 950 Comm: tc Not tainted 4.13.0-rc6+ #54
      [ 2710.899646] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [ 2710.900035] task: ffff880059ed2700 task.stack: ffff88005ad4c000
      [ 2710.900262] RIP: 0010:hrtimer_active+0x17/0x8a
      [ 2710.900467] RSP: 0018:ffff88005ad4f960 EFLAGS: 00010246
      [ 2710.900684] RAX: 0000000000000000 RBX: ffff88003701e298 RCX: 0000000000000000
      [ 2710.900933] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88003701e298
      [ 2710.901177] RBP: ffff88005ad4f980 R08: 0000000000000001 R09: 0000000000000001
      [ 2710.901419] R10: ffff88005ad4f800 R11: 0000000000000400 R12: 0000000000000000
      [ 2710.901663] R13: ffff88003701e298 R14: ffffffff822a4540 R15: ffff88005ad4fac0
      [ 2710.901907] FS:  00007f2f5e90f740(0000) GS:ffff88005d880000(0000) knlGS:0000000000000000
      [ 2710.902277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2710.902500] CR2: 0000000000000000 CR3: 0000000058ca3000 CR4: 00000000000406e0
      [ 2710.902744] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 2710.902977] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 2710.903180] Call Trace:
      [ 2710.903332]  hrtimer_try_to_cancel+0x1a/0x93
      [ 2710.903504]  hrtimer_cancel+0x15/0x20
      [ 2710.903667]  qdisc_watchdog_cancel+0x12/0x14
      [ 2710.903866]  htb_destroy+0x2e/0xf7
      [ 2710.904097]  qdisc_create+0x377/0x3fd
      [ 2710.904330]  tc_modify_qdisc+0x4d2/0x4fd
      [ 2710.904511]  rtnetlink_rcv_msg+0x188/0x197
      [ 2710.904682]  ? rcu_read_unlock+0x3e/0x5f
      [ 2710.904849]  ? rtnl_newlink+0x729/0x729
      [ 2710.905017]  netlink_rcv_skb+0x6c/0xce
      [ 2710.905183]  rtnetlink_rcv+0x23/0x2a
      [ 2710.905345]  netlink_unicast+0x103/0x181
      [ 2710.905511]  netlink_sendmsg+0x326/0x337
      [ 2710.905679]  sock_sendmsg_nosec+0x14/0x3f
      [ 2710.905847]  sock_sendmsg+0x29/0x2e
      [ 2710.906010]  ___sys_sendmsg+0x209/0x28b
      [ 2710.906176]  ? do_raw_spin_unlock+0xcd/0xf8
      [ 2710.906346]  ? _raw_spin_unlock+0x27/0x31
      [ 2710.906514]  ? __handle_mm_fault+0x651/0xdb1
      [ 2710.906685]  ? check_chain_key+0xb0/0xfd
      [ 2710.906855]  __sys_sendmsg+0x45/0x63
      [ 2710.907018]  ? __sys_sendmsg+0x45/0x63
      [ 2710.907185]  SyS_sendmsg+0x19/0x1b
      [ 2710.907344]  entry_SYSCALL_64_fastpath+0x23/0xc2
      
      Note that probably this bug goes further back because the default qdisc
      handling always calls ->destroy on init failure too.
      
      Fixes: 87b60cfa ("net_sched: fix error recovery at qdisc creation")
      Fixes: 0fbbeb1b ("[PKT_SCHED]: Fix missing qdisc_destroy() in qdisc_create_dflt()")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      [AmitP: Rebased for linux-4.4.y]
      Signed-off-by: default avatarAmit Pundir <amit.pundir@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7edd04dd
    • Miklos Szeredi's avatar
      ovl: proper cleanup of workdir · 89f15c6e
      Miklos Szeredi authored
      commit eea2fb48 upstream.
      
      When mounting overlayfs it needs a clean "work" directory under the
      supplied workdir.
      
      Previously the mount code removed this directory if it already existed and
      created a new one.  If the removal failed (e.g. directory was not empty)
      then it fell back to a read-only mount not using the workdir.
      
      While this has never been reported, it is possible to get a non-empty
      "work" dir from a previous mount of overlayfs in case of crash in the
      middle of an operation using the work directory.
      
      In this case the left over state should be discarded and the overlay
      filesystem will be consistent, guaranteed by the atomicity of operations on
      moving to/from the workdir to the upper layer.
      
      This patch implements cleaning out any files left in workdir.  It is
      implemented using real recursion for simplicity, but the depth is limited
      to 2, because the worst case is that of a directory containing whiteouts
      under "work".
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      89f15c6e
    • Antonio Murdaca's avatar
      ovl: override creds with the ones from the superblock mounter · 121b09d3
      Antonio Murdaca authored
      commit 3fe6e52f upstream.
      
      In user namespace the whiteout creation fails with -EPERM because the
      current process isn't capable(CAP_SYS_ADMIN) when setting xattr.
      
      A simple reproducer:
      
      $ mkdir upper lower work merged lower/dir
      $ sudo mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merged
      $ unshare -m -p -f -U -r bash
      
      Now as root in the user namespace:
      
      \# touch merged/dir/{1,2,3} # this will force a copy up of lower/dir
      \# rm -fR merged/*
      
      This ends up failing with -EPERM after the files in dir has been
      correctly deleted:
      
      unlinkat(4, "2", 0)                     = 0
      unlinkat(4, "1", 0)                     = 0
      unlinkat(4, "3", 0)                     = 0
      close(4)                                = 0
      unlinkat(AT_FDCWD, "merged/dir", AT_REMOVEDIR) = -1 EPERM (Operation not
      permitted)
      
      Interestingly, if you don't place files in merged/dir you can remove it,
      meaning if upper/dir does not exist, creating the char device file works
      properly in that same location.
      
      This patch uses ovl_sb_creator_cred() to get the cred struct from the
      superblock mounter and override the old cred with these new ones so that
      the whiteout creation is possible because overlay is wrong in assuming that
      the creds it will get with prepare_creds will be in the initial user
      namespace.  The old cap_raise game is removed in favor of just overriding
      the old cred struct.
      
      This patch also drops from ovl_copy_up_one() the following two lines:
      
      override_cred->fsuid = stat->uid;
      override_cred->fsgid = stat->gid;
      
      This is because the correct uid and gid are taken directly with the stat
      struct and correctly set with ovl_set_attr().
      Signed-off-by: default avatarAntonio Murdaca <runcom@redhat.com>
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      121b09d3
    • Miklos Szeredi's avatar
      ovl: rename is_merge to is_lowest · 6586f61a
      Miklos Szeredi authored
      commit 56656e96 upstream.
      
      The 'is_merge' is an historical naming from when only a single lower layer
      could exist.  With the introduction of multiple lower layers the meaning of
      this flag was changed to mean only the "lowest layer" (while all lower
      layers were being merged).
      
      So now 'is_merge' is inaccurate and hence renaming to 'is_lowest'
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarSZ Lin (林上智) <sz.lin@moxa.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6586f61a
    • Marc Zyngier's avatar
      irqchip/gic: Make interrupt ID 1020 invalid · eadbe44f
      Marc Zyngier authored
      commit 327ebe1f upstream.
      
      The GIC has no such thing as interrupt 1020: the last valid ID is
      1019, and the range 1020-1023 is reserved - 1023 indicating that
      no interrupt is pending. So let's make sure we don't try to handle
      this ID.
      
      This bug has been in since the initial GIC code was introduced in
      8ad68bbf ("[ARM] Add support for ARM RealView board").
      Reported-by: default avatarEric Auger <eric.auger@linaro.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarHanjun Guo <hanjun.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eadbe44f
    • Marc Zyngier's avatar
      irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar() · 3107eb31
      Marc Zyngier authored
      commit 8f318526 upstream.
      
      Commit 1a1ebd5f ("irqchip/gic-v3: Make sure read from ICC_IAR1_EL1 is
      visible on redestributor") fixed the missing barrier on arm64, but
      forgot to update the 32bit counterpart, which has the same requirements.
      Let's fix it.
      
      Fixes: 1a1ebd5f ("irqchip/gic-v3: Make sure read from ICC_IAR1_EL1 is visible on redestributor")
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarHanjun Guo <hanjun.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3107eb31
    • Shanker Donthineni's avatar
      irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size · 5e56ddc7
      Shanker Donthineni authored
      commit 2eca0d6c upstream.
      
      Function its_alloc_tables() maintains two local variables, "order" and
      and "alloc_size", to hold memory size that has been allocated to
      ITS_BASEn. We don't always refresh the variable alloc_size whenever
      value of the variable order changes, causing the following two
      problems.
      
        - Cache flush operation with size more than required.
        - Information reported by pr_info is not correct.
      
      Use a helper macro that converts page order to size in bytes instead of
      variable "alloc_size" to fix both the problems.
      Signed-off-by: default avatarShanker Donthineni <shankerd@codeaurora.org>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarHanjun Guo <hanjun.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e56ddc7
    • Shanker Donthineni's avatar
      irqchip/gicv3-its: Fix memory leak in its_free_tables() · 4a0c7f6a
      Shanker Donthineni authored
      commit 1a485f4d upstream.
      
      The current ITS driver has a memory leak in its_free_tables(). It
      happens on tear down path of the driver when its_probe() call fails.
      its_free_tables() should free the exact number of pages that have
      been allocated, not just a single page as current code does.
      
      This patch records the memory size for each ITS_BASERn at the time of
      page allocation and uses the same size information when freeing pages
      to fix the issue.
      Signed-off-by: default avatarShanker Donthineni <shankerd@codeaurora.org>
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Cc: Jason Cooper <jason@lakedaemon.net>
      Cc: Vikram Sethi <vikrams@codeaurora.org>
      Cc: linux-arm-kernel@lists.infradead.org
      Link: http://lkml.kernel.org/r/1454379584-21772-1-git-send-email-shankerd@codeaurora.orgSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarHanjun Guo <hanjun.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a0c7f6a
    • Marc Zyngier's avatar
      irqchip/gic-v3-its: Recompute the number of pages on page size change · ad37cd79
      Marc Zyngier authored
      commit 18aa60ce upstream.
      
      When the programming of a GITS_BASERn register fails because of
      an unsupported ITS page size, we retry it with a smaller page size.
      Unfortunately, we don't recompute the number of allocated ITS pages,
      indicating the wrong value computed in the original allocation.
      
      A convenient fix is to free the pages we allocated, update the
      page size, and restart the allocation. This will ensure that
      we always allocate the right amount in the case of a device
      table, specially if we have to reduce the allocation order
      to stay within the boundaries of the ITS maximum allocation.
      Reported-and-tested-by: default avatarMa Jun <majun258@huawei.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Jason Cooper <jason@lakedaemon.net>
      Link: http://lkml.kernel.org/r/1453818255-1289-1-git-send-email-marc.zyngier@arm.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarHanjun Guo <hanjun.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad37cd79
    • Sudeep Holla's avatar
      genirq: Delay incrementing interrupt count if it's disabled/pending · 27e83f7d
      Sudeep Holla authored
      commit a946e8c7 upstream.
      
      In case of a wakeup interrupt, irq_pm_check_wakeup disables the interrupt
      and marks it pending and suspended, disables it and notifies the pm core
      about the wake event. The interrupt gets handled later once the system
      is resumed.
      
      However the irq stats is updated twice: once when it's disabled waiting
      for the system to resume and later when it's handled, resulting in wrong
      counting of the wakeup interrupt when waking up the system.
      
      This patch updates the interrupt count so that it's updated only when
      the interrupt gets handled. It's already handled correctly in
      handle_edge_irq and handle_edge_eoi_irq.
      Reported-by: default avatarManoil Claudiu <claudiu.manoil@freescale.com>
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Link: http://lkml.kernel.org/r/1446661957-1019-1-git-send-email-sudeep.holla@arm.comSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarHanjun Guo <hanjun.guo@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27e83f7d
    • Chas Williams's avatar
      Fixes: Commit cdbf9267 ("mm: numa: avoid waiting on freed migrated pages") · e72977e8
      Chas Williams authored
      Commit cdbf9267 ("mm: numa: avoid waiting on freed migrated pages")
      was an incomplete backport of the upstream commit.  It is necessary to
      always reset page_nid before attempting any early exit.
      
      The original commit conflicted due to lack of commit 82b0f8c3
      ("mm: join struct fault_env and vm_fault") in 4.9 so it wasn't a clean
      application, and the change must have just gotten lost in the noise.
      Signed-off-by: default avatarChas Williams <chas3@att.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e72977e8
    • Govindarajulu Varadarajan's avatar
      enic: do not call enic_change_mtu in enic_probe · a5042274
      Govindarajulu Varadarajan authored
      commit cb5c6568 upstream.
      
      In commit ab123fe0 ("enic: handle mtu change for vf properly")
      ASSERT_RTNL() is added to _enic_change_mtu() to prevent it from being
      called without rtnl held. enic_probe() calls enic_change_mtu()
      without rtnl held. At this point netdev is not registered yet.
      Remove call to enic_change_mtu and assign the mtu to netdev->mtu.
      
      Fixes: ab123fe0 ("enic: handle mtu change for vf properly")
      Signed-off-by: default avatarGovindarajulu Varadarajan <gvaradar@cisco.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a5042274
    • Fabio Estevam's avatar
      Revert "ARM: imx_v6_v7_defconfig: Select ULPI support" · a37c7042
      Fabio Estevam authored
      This reverts commit 0d0af17a.
      
      This commit causes reboot to fail on imx6 wandboard, so let's
      revert it.
      
      Cc: <stable@vger.kernel.org> #4.4
      Reported-by: default avatarRasmus Villemoes <rasmus.villemoes@prevas.dk>
      Signed-off-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a37c7042
    • Tyler Hicks's avatar
      irda: Only insert new objects into the global database via setsockopt · 131a3b82
      Tyler Hicks authored
      The irda_setsockopt() function conditionally allocates memory for a new
      self->ias_object or, in some cases, reuses the existing
      self->ias_object. Existing objects were incorrectly reinserted into the
      LM_IAS database which corrupted the doubly linked list used for the
      hashbin implementation of the LM_IAS database. When combined with a
      memory leak in irda_bind(), this issue could be leveraged to create a
      use-after-free vulnerability in the hashbin list. This patch fixes the
      issue by only inserting newly allocated objects into the database.
      
      CVE-2018-6555
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reviewed-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Reviewed-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      131a3b82
    • Tyler Hicks's avatar
      irda: Fix memory leak caused by repeated binds of irda socket · 4a7811bb
      Tyler Hicks authored
      The irda_bind() function allocates memory for self->ias_obj without
      checking to see if the socket is already bound. A userspace process
      could repeatedly bind the socket, have each new object added into the
      LM-IAS database, and lose the reference to the old object assigned to
      the socket to exhaust memory resources. This patch errors out of the
      bind operation when self->ias_obj is already assigned.
      
      CVE-2018-6554
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Reviewed-by: default avatarSeth Arnold <seth.arnold@canonical.com>
      Reviewed-by: default avatarStefan Bader <stefan.bader@canonical.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4a7811bb
    • Randy Dunlap's avatar
      kbuild: make missing $DEPMOD a Warning instead of an Error · accf294a
      Randy Dunlap authored
      commit 914b087f upstream.
      
      When $DEPMOD is not found, only print a warning instead of exiting
      with an error message and error status:
      
      Warning: 'make modules_install' requires /sbin/depmod. Please install it.
      This is probably in the kmod package.
      
      Change the Error to a Warning because "not all build hosts for cross
      compiling Linux are Linux systems and are able to provide a working
      port of depmod, especially at the file patch /sbin/depmod."
      
      I.e., "make modules_install" may be used to copy/install the
      loadable modules files to a target directory on a build system and
      then transferred to an embedded device where /sbin/depmod is run
      instead of it being run on the build system.
      
      Fixes: 934193a6 ("kbuild: verify that $DEPMOD is installed")
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Reported-by: default avatarH. Nikolaus Schaller <hns@goldelico.com>
      Cc: stable@vger.kernel.org
      Cc: Lucas De Marchi <lucas.demarchi@profusion.mobi>
      Cc: Lucas De Marchi <lucas.de.marchi@gmail.com>
      Cc: Michal Marek <michal.lkml@markovi.net>
      Cc: Jessica Yu <jeyu@kernel.org>
      Cc: Chih-Wei Huang <cwhuang@linux.org.tw>
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarMaxim Zhukov <mussitantesmortem@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      accf294a
    • Juergen Gross's avatar
      x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear · f46d2b99
      Juergen Gross authored
      commit b2d7a075 upstream.
      
      Using only 32-bit writes for the pte will result in an intermediate
      L1TF vulnerable PTE. When running as a Xen PV guest this will at once
      switch the guest to shadow mode resulting in a loss of performance.
      
      Use arch_atomic64_xchg() instead which will perform the requested
      operation atomically with all 64 bits.
      
      Some performance considerations according to:
      
      https://software.intel.com/sites/default/files/managed/ad/dc/Intel-Xeon-Scalable-Processor-throughput-latency.pdf
      
      The main number should be the latency, as there is no tight loop around
      native_ptep_get_and_clear().
      
      "lock cmpxchg8b" has a latency of 20 cycles, while "lock xchg" (with a
      memory operand) isn't mentioned in that document. "lock xadd" (with xadd
      having 3 cycles less latency than xchg) has a latency of 11, so we can
      assume a latency of 14 for "lock xchg".
      Signed-off-by: default avatarJuergen Gross <jgross@suse.com>
      Reviewed-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarJan Beulich <jbeulich@suse.com>
      Tested-by: default avatarJason Andryuk <jandryuk@gmail.com>
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      [ Atomic operations gained an arch_ prefix in 8bf705d1
      ("locking/atomic/x86: Switch atomic.h to use atomic-instrumented.h") so
      s/arch_atomic64_xchg/atomic64_xchg/ for backport.]
      Signed-off-by: default avatarJason Andryuk <jandryuk@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f46d2b99
    • Joel Fernandes (Google)'s avatar
      debugobjects: Make stack check warning more informative · 98d122a4
      Joel Fernandes (Google) authored
      commit fc91a3c4 upstream.
      
      While debugging an issue debugobject tracking warned about an annotation
      issue of an object on stack. It turned out that the issue was due to the
      object in concern being on a different stack which was due to another
      issue.
      
      Thomas suggested to print the pointers and the location of the stack for
      the currently running task. This helped to figure out that the object was
      on the wrong stack.
      
      As this is general useful information for debugging similar issues, make
      the error message more informative by printing the pointers.
      
      [ tglx: Massaged changelog ]
      Signed-off-by: default avatarJoel Fernandes (Google) <joel@joelfernandes.org>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarWaiman Long <longman@redhat.com>
      Acked-by: default avatarYang Shi <yang.shi@linux.alibaba.com>
      Cc: kernel-team@android.com
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: astrachan@google.com
      Link: https://lkml.kernel.org/r/20180723212531.202328-1-joel@joelfernandes.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      98d122a4
    • Qu Wenruo's avatar
      btrfs: Don't remove block group that still has pinned down bytes · 02e48c4d
      Qu Wenruo authored
      [ Upstream commit 43794446 ]
      
      [BUG]
      Under certain KVM load and LTP tests, it is possible to hit the
      following calltrace if quota is enabled:
      
      BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
      BTRFS critical (device vda2): unable to find logical 8820195328 length 4096
      
      WARNING: CPU: 0 PID: 49 at ../block/blk-core.c:172 blk_status_to_errno+0x1a/0x30
      CPU: 0 PID: 49 Comm: kworker/u2:1 Not tainted 4.12.14-15-default #1 SLE15 (unreleased)
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.0.0-prebuilt.qemu-project.org 04/01/2014
      Workqueue: btrfs-endio-write btrfs_endio_write_helper [btrfs]
      task: ffff9f827b340bc0 task.stack: ffffb4f8c0304000
      RIP: 0010:blk_status_to_errno+0x1a/0x30
      Call Trace:
       submit_extent_page+0x191/0x270 [btrfs]
       ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
       __do_readpage+0x2d2/0x810 [btrfs]
       ? btrfs_create_repair_bio+0x130/0x130 [btrfs]
       ? run_one_async_done+0xc0/0xc0 [btrfs]
       __extent_read_full_page+0xe7/0x100 [btrfs]
       ? run_one_async_done+0xc0/0xc0 [btrfs]
       read_extent_buffer_pages+0x1ab/0x2d0 [btrfs]
       ? run_one_async_done+0xc0/0xc0 [btrfs]
       btree_read_extent_buffer_pages+0x94/0xf0 [btrfs]
       read_tree_block+0x31/0x60 [btrfs]
       read_block_for_search.isra.35+0xf0/0x2e0 [btrfs]
       btrfs_search_slot+0x46b/0xa00 [btrfs]
       ? kmem_cache_alloc+0x1a8/0x510
       ? btrfs_get_token_32+0x5b/0x120 [btrfs]
       find_parent_nodes+0x11d/0xeb0 [btrfs]
       ? leaf_space_used+0xb8/0xd0 [btrfs]
       ? btrfs_leaf_free_space+0x49/0x90 [btrfs]
       ? btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
       btrfs_find_all_roots_safe+0x93/0x100 [btrfs]
       btrfs_find_all_roots+0x45/0x60 [btrfs]
       btrfs_qgroup_trace_extent_post+0x20/0x40 [btrfs]
       btrfs_add_delayed_data_ref+0x1a3/0x1d0 [btrfs]
       btrfs_alloc_reserved_file_extent+0x38/0x40 [btrfs]
       insert_reserved_file_extent.constprop.71+0x289/0x2e0 [btrfs]
       btrfs_finish_ordered_io+0x2f4/0x7f0 [btrfs]
       ? pick_next_task_fair+0x2cd/0x530
       ? __switch_to+0x92/0x4b0
       btrfs_worker_helper+0x81/0x300 [btrfs]
       process_one_work+0x1da/0x3f0
       worker_thread+0x2b/0x3f0
       ? process_one_work+0x3f0/0x3f0
       kthread+0x11a/0x130
       ? kthread_create_on_node+0x40/0x40
       ret_from_fork+0x35/0x40
      
      BTRFS critical (device vda2): unable to find logical 8820195328 length 16384
      BTRFS: error (device vda2) in btrfs_finish_ordered_io:3023: errno=-5 IO failure
      BTRFS info (device vda2): forced readonly
      BTRFS error (device vda2): pending csums is 2887680
      
      [CAUSE]
      It's caused by race with block group auto removal:
      
      - There is a meta block group X, which has only one tree block
        The tree block belongs to fs tree 257.
      - In current transaction, some operation modified fs tree 257
        The tree block gets COWed, so the block group X is empty, and marked
        as unused, queued to be deleted.
      - Some workload (like fsync) wakes up cleaner_kthread()
        Which will call btrfs_delete_unused_bgs() to remove unused block
        groups.
        So block group X along its chunk map get removed.
      - Some delalloc work finished for fs tree 257
        Quota needs to get the original reference of the extent, which will
        read tree blocks of commit root of 257.
        Then since the chunk map gets removed, the above warning gets
        triggered.
      
      [FIX]
      Just let btrfs_delete_unused_bgs() skip block group which still has
      pinned bytes.
      
      However there is a minor side effect: currently we only queue empty
      blocks at update_block_group(), and such empty block group with pinned
      bytes won't go through update_block_group() again, such block group
      won't be removed, until it gets new extent allocated and removed.
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02e48c4d
    • Qu Wenruo's avatar
      btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized · 510825b3
      Qu Wenruo authored
      [ Upstream commit 389305b2 ]
      
      Invalid reloc tree can cause kernel NULL pointer dereference when btrfs
      does some cleanup of the reloc roots.
      
      It turns out that fs_info::reloc_ctl can be NULL in
      btrfs_recover_relocation() as we allocate relocation control after all
      reloc roots have been verified.
      So when we hit: note, we haven't called set_reloc_control() thus
      fs_info::reloc_ctl is still NULL.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=199833Reported-by: default avatarXu Wen <wen.xu@gatech.edu>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Tested-by: default avatarGu Jinxiang <gujx@cn.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      510825b3
    • Misono Tomohiro's avatar
      btrfs: replace: Reset on-disk dev stats value after replace · accb3e42
      Misono Tomohiro authored
      [ Upstream commit 1e7e1f9e ]
      
      on-disk devs stats value is updated in btrfs_run_dev_stats(),
      which is called during commit transaction, if device->dev_stats_ccnt
      is not zero.
      
      Since current replace operation does not touch dev_stats_ccnt,
      on-disk dev stats value is not updated. Therefore "btrfs device stats"
      may return old device's value after umount/mount
      (Example: See "btrfs ins dump-t -t DEV $DEV" after btrfs/100 finish).
      
      Fix this by just incrementing dev_stats_ccnt in
      btrfs_dev_replace_finishing() when replace is succeeded and this will
      update the values.
      Signed-off-by: default avatarMisono Tomohiro <misono.tomohiro@jp.fujitsu.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      accb3e42
    • Mahesh Salgaonkar's avatar
      powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX. · 2dc310f8
      Mahesh Salgaonkar authored
      [ Upstream commit 74e96bf4 ]
      
      The global mce data buffer that used to copy rtas error log is of 2048
      (RTAS_ERROR_LOG_MAX) bytes in size. Before the copy we read
      extended_log_length from rtas error log header, then use max of
      extended_log_length and RTAS_ERROR_LOG_MAX as a size of data to be copied.
      Ideally the platform (phyp) will never send extended error log with
      size > 2048. But if that happens, then we have a risk of buffer overrun
      and corruption. Fix this by using min_t instead.
      
      Fixes: d368514c ("powerpc: Fix corruption when grabbing FWNMI data")
      Reported-by: default avatarMichal Suchanek <msuchanek@suse.com>
      Signed-off-by: default avatarMahesh Salgaonkar <mahesh@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2dc310f8
    • Steve French's avatar
      SMB3: Number of requests sent should be displayed for SMB3 not just CIFS · a9997f88
      Steve French authored
      [ Upstream commit 289131e1 ]
      
      For SMB2/SMB3 the number of requests sent was not displayed
      in /proc/fs/cifs/Stats unless CONFIG_CIFS_STATS2 was
      enabled (only number of failed requests displayed). As
      with earlier dialects, we should be displaying these
      counters if CONFIG_CIFS_STATS is enabled. They
      are important for debugging.
      
      e.g. when you cat /proc/fs/cifs/Stats (before the patch)
      Resources in use
      CIFS Session: 1
      Share (unique mount targets): 2
      SMB Request/Response Buffer: 1 Pool size: 5
      SMB Small Req/Resp Buffer: 1 Pool size: 30
      Operations (MIDs): 0
      
      0 session 0 share reconnects
      Total vfs operations: 690 maximum at one time: 2
      
      1) \\localhost\test
      SMBs: 975
      Negotiates: 0 sent 0 failed
      SessionSetups: 0 sent 0 failed
      Logoffs: 0 sent 0 failed
      TreeConnects: 0 sent 0 failed
      TreeDisconnects: 0 sent 0 failed
      Creates: 0 sent 2 failed
      Closes: 0 sent 0 failed
      Flushes: 0 sent 0 failed
      Reads: 0 sent 0 failed
      Writes: 0 sent 0 failed
      Locks: 0 sent 0 failed
      IOCTLs: 0 sent 1 failed
      Cancels: 0 sent 0 failed
      Echos: 0 sent 0 failed
      QueryDirectories: 0 sent 63 failed
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9997f88
    • Steve French's avatar
      smb3: fix reset of bytes read and written stats · d6773f40
      Steve French authored
      [ Upstream commit c281bc0c ]
      
      echo 0 > /proc/fs/cifs/Stats is supposed to reset the stats
      but there were four (see example below) that were not reset
      (bytes read and witten, total vfs ops and max ops
      at one time).
      
      ...
      0 session 0 share reconnects
      Total vfs operations: 100 maximum at one time: 2
      
      1) \\localhost\test
      SMBs: 0
      Bytes read: 502092  Bytes written: 31457286
      TreeConnects: 0 total 0 failed
      TreeDisconnects: 0 total 0 failed
      ...
      
      This patch fixes cifs_stats_proc_write to properly reset
      those four.
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6773f40
    • Breno Leitao's avatar
      selftests/powerpc: Kill child processes on SIGINT · 8e676abe
      Breno Leitao authored
      [ Upstream commit 7c27a26e ]
      
      There are some powerpc selftests, as tm/tm-unavailable, that run for a long
      period (>120 seconds), and if it is interrupted, as pressing CRTL-C
      (SIGINT), the foreground process (harness) dies but the child process and
      threads continue to execute (with PPID = 1 now) in background.
      
      In this case, you'd think the whole test exited, but there are remaining
      threads and processes being executed in background. Sometimes these
      zombies processes are doing annoying things, as consuming the whole CPU or
      dumping things to STDOUT.
      
      This patch fixes this problem by attaching an empty signal handler to
      SIGINT in the harness process. This handler will interrupt (EINTR) the
      parent process waitpid() call, letting the code to follow through the
      normal flow, which will kill all the processes in the child process group.
      
      This patch also fixes a typo.
      Signed-off-by: default avatarBreno Leitao <leitao@debian.org>
      Signed-off-by: default avatarGustavo Romero <gromero@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e676abe
    • Ian Abbott's avatar
      staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice · 9ad681c4
      Ian Abbott authored
      [ Upstream commit e083926b ]
      
      The PFI subdevice flags indicate that the subdevice is readable and
      writeable, but that is only true for the supported "M-series" boards,
      not the older "E-series" boards.  Only set the SDF_READABLE and
      SDF_WRITABLE subdevice flags for the M-series boards.  These two flags
      are mainly for informational purposes.
      Signed-off-by: default avatarIan Abbott <abbotti@mev.co.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ad681c4
    • John Pittman's avatar
      dm kcopyd: avoid softlockup in run_complete_job · 66236f1b
      John Pittman authored
      [ Upstream commit 784c9a29 ]
      
      It was reported that softlockups occur when using dm-snapshot ontop of
      slow (rbd) storage.  E.g.:
      
      [ 4047.990647] watchdog: BUG: soft lockup - CPU#10 stuck for 22s! [kworker/10:23:26177]
      ...
      [ 4048.034151] Workqueue: kcopyd do_work [dm_mod]
      [ 4048.034156] RIP: 0010:copy_callback+0x41/0x160 [dm_snapshot]
      ...
      [ 4048.034190] Call Trace:
      [ 4048.034196]  ? __chunk_is_tracked+0x70/0x70 [dm_snapshot]
      [ 4048.034200]  run_complete_job+0x5f/0xb0 [dm_mod]
      [ 4048.034205]  process_jobs+0x91/0x220 [dm_mod]
      [ 4048.034210]  ? kcopyd_put_pages+0x40/0x40 [dm_mod]
      [ 4048.034214]  do_work+0x46/0xa0 [dm_mod]
      [ 4048.034219]  process_one_work+0x171/0x370
      [ 4048.034221]  worker_thread+0x1fc/0x3f0
      [ 4048.034224]  kthread+0xf8/0x130
      [ 4048.034226]  ? max_active_store+0x80/0x80
      [ 4048.034227]  ? kthread_bind+0x10/0x10
      [ 4048.034231]  ret_from_fork+0x35/0x40
      [ 4048.034233] Kernel panic - not syncing: softlockup: hung tasks
      
      Fix this by calling cond_resched() after run_complete_job()'s callout to
      the dm_kcopyd_notify_fn (which is dm-snap.c:copy_callback in the above
      trace).
      Signed-off-by: default avatarJohn Pittman <jpittman@redhat.com>
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66236f1b
    • Thomas Petazzoni's avatar
      PCI: mvebu: Fix I/O space end address calculation · d07bbe50
      Thomas Petazzoni authored
      [ Upstream commit dfd0309f ]
      
      pcie->realio.end should be the address of last byte of the area,
      therefore using resource_size() of another resource is not correct, we
      must substract 1 to get the address of the last byte.
      
      Fixes: 11be6547 ("PCI: mvebu: Adapt to the new device tree layout")
      Signed-off-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d07bbe50
    • Dan Carpenter's avatar
      scsi: aic94xx: fix an error code in aic94xx_init() · 242343eb
      Dan Carpenter authored
      [ Upstream commit 0756c57b ]
      
      We accidentally return success instead of -ENOMEM on this error path.
      
      Fixes: 2908d778 ("[SCSI] aic94xx: new driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarJohannes Thumshirn <jthumshirn@suse.de>
      Reviewed-by: default avatarJohn Garry <john.garry@huawei.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      242343eb
    • Stefan Haberland's avatar
      s390/dasd: fix hanging offline processing due to canceled worker · 4057a200
      Stefan Haberland authored
      [ Upstream commit 669f3765 ]
      
      During offline processing two worker threads are canceled without
      freeing the device reference which leads to a hanging offline process.
      Reviewed-by: default avatarJan Hoeppner <hoeppner@linux.ibm.com>
      Signed-off-by: default avatarStefan Haberland <sth@linux.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4057a200
    • Dan Carpenter's avatar
      powerpc: Fix size calculation using resource_size() · f675ab00
      Dan Carpenter authored
      [ Upstream commit c42d3be0 ]
      
      The problem is the the calculation should be "end - start + 1" but the
      plus one is missing in this calculation.
      
      Fixes: 8626816e ("powerpc: add support for MPIC message register API")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarTyrel Datwyler <tyreld@linux.vnet.ibm.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f675ab00
    • Jean-Philippe Brucker's avatar
      net/9p: fix error path of p9_virtio_probe · 75c55cbd
      Jean-Philippe Brucker authored
      [ Upstream commit 92aef467 ]
      
      Currently when virtio_find_single_vq fails, we go through del_vqs which
      throws a warning (Trying to free already-free IRQ).  Skip del_vqs if vq
      allocation failed.
      
      Link: http://lkml.kernel.org/r/20180524101021.49880-1-jean-philippe.brucker@arm.comSigned-off-by: default avatarJean-Philippe Brucker <jean-philippe.brucker@arm.com>
      Reviewed-by: default avatarGreg Kurz <groug@kaod.org>
      Cc: Eric Van Hensbergen <ericvh@gmail.com>
      Cc: Ron Minnich <rminnich@sandia.gov>
      Cc: Latchesar Ionkov <lucho@ionkov.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarDominique Martinet <dominique.martinet@cea.fr>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      75c55cbd
    • Jonas Gorski's avatar
      irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP · 35371798
      Jonas Gorski authored
      [ Upstream commit 0702bc4d ]
      
      When compiling bmips with SMP disabled, the build fails with:
      
      drivers/irqchip/irq-bcm7038-l1.o: In function `bcm7038_l1_cpu_offline':
      drivers/irqchip/irq-bcm7038-l1.c:242: undefined reference to `irq_set_affinity_locked'
      make[5]: *** [vmlinux] Error 1
      
      Fix this by adding and setting bcm7038_l1_cpu_offline only when actually
      compiling for SMP. It wouldn't have been used anyway, as it requires
      CPU_HOTPLUG, which in turn requires SMP.
      
      Fixes: 34c53579 ("irqchip/bcm7038-l1: Implement irq_cpu_offline() callback")
      Signed-off-by: default avatarJonas Gorski <jonas.gorski@gmail.com>
      Signed-off-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35371798
    • Aleh Filipovich's avatar
      platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 · ad09041e
      Aleh Filipovich authored
      [ Upstream commit 880b29ac ]
      
      Add entry to WMI keymap for lid flip event on Asus UX360.
      
      On Asus Zenbook ux360 flipping lid from/to tablet mode triggers
      keyscan code 0xfa which cannot be handled and results in kernel
      log message "Unknown key fa pressed".
      
      Signed-off-by: Aleh Filipovich<aleh@appnexus.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ad09041e
    • Guenter Roeck's avatar
      mfd: sm501: Set coherent_dma_mask when creating subdevices · a429a299
      Guenter Roeck authored
      [ Upstream commit 2f606da7 ]
      
      Instantiating the sm501 OHCI subdevice results in a kernel warning.
      
      sm501-usb sm501-usb: SM501 OHCI
      sm501-usb sm501-usb: new USB bus registered, assigned bus number 1
      WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516
      ohci_init+0x194/0x2d8
      Modules linked in:
      
      CPU: 0 PID: 1 Comm: swapper Tainted: G        W
      4.18.0-rc7-00178-g0b5b1f9a #1
      PC is at ohci_init+0x194/0x2d8
      PR is at ohci_init+0x168/0x2d8
      PC  : 8c27844c SP  : 8f81dd94 SR  : 40008001
      TEA : 29613060
      R0  : 00000000 R1  : 00000000 R2  : 00000000 R3  : 00000202
      R4  : 8fa98b88 R5  : 8c277e68 R6  : 00000000 R7  : 00000000
      R8  : 8f965814 R9  : 8c388100 R10 : 8fa98800 R11 : 8fa98928
      R12 : 8c48302c R13 : 8fa98920 R14 : 8c48302c
      MACH: 00000096 MACL: 0000017c GBR : 00000000 PR  : 8c278420
      
      Call trace:
       [<(ptrval)>] usb_add_hcd+0x1e8/0x6ec
       [<(ptrval)>] _dev_info+0x0/0x54
       [<(ptrval)>] arch_local_save_flags+0x0/0x8
       [<(ptrval)>] arch_local_irq_restore+0x0/0x24
       [<(ptrval)>] ohci_hcd_sm501_drv_probe+0x114/0x2d8
      ...
      
      Initialize coherent_dma_mask when creating SM501 subdevices to fix
      the problem.
      
      Fixes: b6d6454f ("mfd: SM501 core driver")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a429a299
    • Tan Hu's avatar
      ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() · 4ebf605d
      Tan Hu authored
      [ Upstream commit a53b42c1 ]
      
      We came across infinite loop in ipvs when using ipvs in docker
      env.
      
      When ipvs receives new packets and cannot find an ipvs connection,
      it will create a new connection, then if the dest is unavailable
      (i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.
      
      But if the dropped packet is the first packet of this connection,
      the connection control timer never has a chance to start and the
      ipvs connection cannot be released. This will lead to memory leak, or
      infinite loop in cleanup_net() when net namespace is released like
      this:
      
          ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
          __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
          ops_exit_list at ffffffff81567a49
          cleanup_net at ffffffff81568b40
          process_one_work at ffffffff810a851b
          worker_thread at ffffffff810a9356
          kthread at ffffffff810b0b6f
          ret_from_fork at ffffffff81697a18
      
      race condition:
          CPU1                           CPU2
          ip_vs_in()
            ip_vs_conn_new()
                                         ip_vs_del_dest()
                                           __ip_vs_unlink_dest()
                                             ~IP_VS_DEST_F_AVAILABLE
            cp->dest && !IP_VS_DEST_F_AVAILABLE
            __ip_vs_conn_put
          ...
          cleanup_net  ---> infinite looping
      
      Fix this by checking whether the timer already started.
      Signed-off-by: default avatarTan Hu <tan.hu@zte.com.cn>
      Reviewed-by: default avatarJiang Biao <jiang.biao2@zte.com.cn>
      Acked-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ebf605d
    • Tetsuo Handa's avatar
      fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() · 90d91af0
      Tetsuo Handa authored
      [ Upstream commit 6cd00a01 ]
      
      Since only dentry->d_name.len + 1 bytes out of DNAME_INLINE_LEN bytes
      are initialized at __d_alloc(), we can't copy the whole size
      unconditionally.
      
       WARNING: kmemcheck: Caught 32-bit read from uninitialized memory (ffff8fa27465ac50)
       636f6e66696766732e746d70000000000010000000000000020000000188ffff
        i i i i i i i i i i i i i u u u u u u u u u u i i i i i u u u u
                                        ^
       RIP: 0010:take_dentry_name_snapshot+0x28/0x50
       RSP: 0018:ffffa83000f5bdf8 EFLAGS: 00010246
       RAX: 0000000000000020 RBX: ffff8fa274b20550 RCX: 0000000000000002
       RDX: ffffa83000f5be40 RSI: ffff8fa27465ac50 RDI: ffffa83000f5be60
       RBP: ffffa83000f5bdf8 R08: ffffa83000f5be48 R09: 0000000000000001
       R10: ffff8fa27465ac00 R11: ffff8fa27465acc0 R12: ffff8fa27465ac00
       R13: ffff8fa27465acc0 R14: 0000000000000000 R15: 0000000000000000
       FS:  00007f79737ac8c0(0000) GS:ffffffff8fc30000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: ffff8fa274c0b000 CR3: 0000000134aa7002 CR4: 00000000000606f0
        take_dentry_name_snapshot+0x28/0x50
        vfs_rename+0x128/0x870
        SyS_rename+0x3b2/0x3d0
        entry_SYSCALL_64_fastpath+0x1a/0xa4
        0xffffffffffffffff
      
      Link: http://lkml.kernel.org/r/201709131912.GBG39012.QMJLOVFSFFOOtH@I-love.SAKURA.ne.jpSigned-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: Vegard Nossum <vegard.nossum@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90d91af0