1. 10 Jan, 2020 16 commits
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · 9fb7007d
      Linus Torvalds authored
      Pull char/misc fix from Greg KH:
       "Here is a single fix, for the chrdev core, for 5.5-rc6
      
        There's been a long-standing race condition triggered by syzbot, and
        occasionally real people, in the chrdev open() path. Will finally took
        the time to track it down and fix it for real before the holidays.
      
        Here's that one patch, it's been in linux-next for a while with no
        reported issues and it does fix the reported problem"
      
      * tag 'char-misc-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        chardev: Avoid potential use-after-free in 'chrdev_open()'
      9fb7007d
    • Linus Torvalds's avatar
      Merge tag 'staging-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · 7da37cd0
      Linus Torvalds authored
      Pull staging fixes from Greg KH:
       "Here are some small staging driver fixes for 5.5-rc6.
      
        Nothing major here, just some small fixes for a comedi driver, the
        vt6656 driver, and a new device id for the rtl8188eu driver.
      
        All of these have been in linux-next for a while with no reported
        issues"
      
      * tag 'staging-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21
        staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713
        staging: vt6656: set usb_set_intfdata on driver fail.
        staging: vt6656: remove bool from vnt_radio_power_on ret
        staging: vt6656: limit reg output to block size
        staging: vt6656: correct return of vnt_init_registers.
        staging: vt6656: Fix non zero logical return of, usb_control_msg
      7da37cd0
    • Linus Torvalds's avatar
      Merge tag 'tty-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 5a96c0bb
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are two tty/serial driver fixes for 5.5-rc6.
      
        The first fixes a much much reported issue with a previous tty port
        link patch that is in your tree, and the second fixes a problem where
        the serdev driver would claim ACPI devices that it shouldn't be
        claiming.
      
        Both have been in linux-next for a while with no reported issues"
      
      * tag 'tty-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serdev: Don't claim unsupported ACPI serial devices
        tty: always relink the port
      5a96c0bb
    • Linus Torvalds's avatar
      Merge tag 'block-5.5-2020-01-10' of git://git.kernel.dk/linux-block · 4e4cd21c
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A few fixes that should go into this round.
      
        This pull request contains two NVMe fixes via Keith, removal of a dead
        function, and a fix for the bio op for read truncates (Ming)"
      
      * tag 'block-5.5-2020-01-10' of git://git.kernel.dk/linux-block:
        nvmet: fix per feat data len for get_feature
        nvme: Translate more status codes to blk_status_t
        fs: move guard_bio_eod() after bio_set_op_attrs
        block: remove unused mp_bvec_last_segment
      4e4cd21c
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.5-2020-01-10' of git://git.kernel.dk/linux-block · 30b6487d
      Linus Torvalds authored
      Pull io_uring fix from Jens Axboe:
       "Single fix for this series, fixing a regression with the short read
        handling.
      
        This just removes it, as it cannot safely be done for all cases"
      
      * tag 'io_uring-5.5-2020-01-10' of git://git.kernel.dk/linux-block:
        io_uring: remove punt of short reads to async context
      30b6487d
    • Linus Torvalds's avatar
      Merge tag 'mtd/fixes-for-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux · 4936ce17
      Linus Torvalds authored
      Pull MTD fixes from Miquel Raynal:
       "MTD:
         - sm_ftl: Fix NULL pointer warning.
      
        Raw NAND:
         - Cadence: fix compile testing.
         - STM32: Avoid locking.
      
        Onenand:
         - Fix several sparse/build warnings.
      
        SPI-NOR:
         - Add a flag to fix interaction with Micron parts"
      
      * tag 'mtd/fixes-for-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
        mtd: spi-nor: Fix the writing of the Status Register on micron flashes
        mtd: sm_ftl: fix NULL pointer warning
        mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy
        mtd: onenand: samsung: Fix iomem access with regular memcpy
        mtd: onenand: omap2: Fix errors in style
        mtd: cadence: Fix cast to pointer from integer of different size warning
        mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus
      4936ce17
    • Linus Torvalds's avatar
      Merge tag 'sound-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · b1d198c0
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A few piled ASoC fixes and usual HD-audio and USB-audio fixups. Some
        of them are for ASoC core error-handling"
      
      * tag 'sound-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda: enable regmap internal locking
        ALSA: hda/realtek - Add quirk for the bass speaker on Lenovo Yoga X1 7th gen
        ALSA: hda/realtek - Set EAPD control to default for ALC222
        ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5
        ALSA: hda/realtek - Add new codec supported for ALCS1200A
        ASoC: Intel: boards: Fix compile-testing RT1011/RT5682
        ASoC: SOF: imx8: Fix dsp_box offset
        ASoC: topology: Prevent use-after-free in snd_soc_get_pcm_runtime()
        ASoC: fsl_audmix: add missed pm_runtime_disable
        ASoC: stm32: spdifrx: fix input pin state management
        ASoC: stm32: spdifrx: fix race condition in irq handler
        ASoC: stm32: spdifrx: fix inconsistent lock state
        ASoC: core: Fix access to uninitialized list heads
        ASoC: soc-core: Set dpcm_playback / dpcm_capture
        ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev
        ASoC: SOF: Intel: hda: hda-dai: fix oops on hda_link .hw_free
        ASoC: SOF: fix fault at driver unload after failed probe
      b1d198c0
    • Linus Torvalds's avatar
      Merge tag 'thermal-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux · 658e1af5
      Linus Torvalds authored
      Pull thermal fix from Daniel Lezcano:
       "Fix backward compatibility with old DTBs on QCOM tsens (Amit
        Kucheria)"
      
      * tag 'thermal-v5.5-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/thermal/linux:
        drivers: thermal: tsens: Work with old DTBs
      658e1af5
    • Linus Torvalds's avatar
      Merge tag 'pm-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · c23e744b
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "Prevent the cpufreq-dt driver from probing Tegra20/30 (Dmitry
        Osipenko) and prevent the Intel RAPL power capping driver from
        crashing during CPU initialization due to a NULL pointer dereference
        if the processor model in use is not known to it (Harry Pan)"
      
      * tag 'pm-5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online()
        cpufreq: dt-platdev: Blacklist NVIDIA Tegra20 and Tegra30 SoCs
      c23e744b
    • Amit Engel's avatar
      nvmet: fix per feat data len for get_feature · e17016f6
      Amit Engel authored
      The existing implementation for the get_feature admin-cmd does not
      use per-feature data len. This patch introduces a new helper function
      nvmet_feat_data_len(), which is used to calculate per feature data len.
      Right now we only set data len for fid 0x81 (NVME_FEAT_HOST_ID).
      
      Fixes: commit e9061c39 ("nvmet: Remove the data_len field from the nvmet_req struct")
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAmit Engel <amit.engel@dell.com>
      [endiness, naming, and kernel style fixes]
      Signed-off-by: default avatarChaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
      Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      e17016f6
    • Keith Busch's avatar
      nvme: Translate more status codes to blk_status_t · 35038bff
      Keith Busch authored
      Decode interrupted command and not ready namespace nvme status codes to
      BLK_STS_TARGET. These are not generic IO errors and should use a non-path
      specific error so that it can use the non-failover retry path.
      Reported-by: default avatarJohn Meneghini <John.Meneghini@netapp.com>
      Cc: Hannes Reinecke <hare@suse.de>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      35038bff
    • Rafael J. Wysocki's avatar
      Merge branch 'powercap' · 10674d97
      Rafael J. Wysocki authored
      * powercap:
        powercap: intel_rapl: add NULL pointer check to rapl_mmio_cpu_online()
      10674d97
    • Linus Torvalds's avatar
      Merge tag 'pstore-v5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · bef1d882
      Linus Torvalds authored
      Pull pstore fix from Kees Cook:
       "Cengiz Can forwarded a Coverity report about more problems with a rare
        pstore initialization error path, so the allocation lifetime was
        rearranged to avoid needing to share the kfree() responsibilities
        between caller and callee"
      
      * tag 'pstore-v5.5-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        pstore/ram: Regularize prz label allocation lifetime
      bef1d882
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-01-10' of git://anongit.freedesktop.org/drm/drm · 6d25ef77
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Pre-LCA pull request I'm not sure how things will look next week,
        myself and Daniel are at LCA and I'm speaking quite late, so if I get
        my talk finished I'll probably process fixes.
      
        This week has a bunch of i915 fixes, some amdgpu fixes, one sun4i, one
        core MST, and one core fb_helper fix. More details below:
      
        core:
         - mst Fix NO_STOP_BIT bit offset (Wayne)
      
        fb_helper:
         - fb_helper: Fix bits_per_pixel param set behavior to round up
           (Geert)
      
        sun4i:
         - Fix RGB_DIV clock min divider on old hardware (Chen-Yu)
      
        amdgpu:
         - Stability fix for raven
         - Reduce pixel encoding to if max clock is exceeded on HDMI to allow
           additional high res modes
         - enable DRIVER_SYNCOBJ_TIMELINE for amdgpu
      
        i915:
         - Fix GitLab issue #446 causing GPU hangs: Do not restore invalid RS
           state
         - Fix GitLab issue #846: Restore coarse power gating that was
           disabled by initial RC66 context corruption security fixes.
         - Revert f6ec9483 ("drm/i915: extend audio CDCLK>=2*BCLK
           constraint to more platforms") to avoid screen flicker
         - Fix to fill in unitialized uabi_instance in virtual engine uAPI
         - Add two missing W/As for ICL and EHL"
      
      * tag 'drm-fixes-2020-01-10' of git://anongit.freedesktop.org/drm/drm:
        drm/amdgpu: add DRIVER_SYNCOBJ_TIMELINE to amdgpu
        drm/amd/display: Reduce HDMI pixel encoding if max clock is exceeded
        Revert "drm/amdgpu: Set no-retry as default."
        drm/fb-helper: Round up bits_per_pixel if possible
        drm/sun4i: tcon: Set RGB DCLK min. divider based on hardware model
        drm/i915/dp: Disable Port sync mode correctly on teardown
        drm/i915: Add Wa_1407352427:icl,ehl
        drm/i915: Add Wa_1408615072 and Wa_1407596294 to icl,ehl
        drm/i915/gt: Restore coarse power gating
        drm/i915/gt: Do not restore invalid RS state
        drm/i915: Limit audio CDCLK>=2*BCLK constraint back to GLK only
        drm/i915/gt: Mark up virtual engine uabi_instance
        drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ
      6d25ef77
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 5e7c1b75
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "First RDMA subsystem updates for 5.5-rc. A very small set of fixes,
        most people seem to still be recovering from December!
      
        Five small driver fixes:
      
         - Fix error flow with MR allocation in bnxt_re
      
         - An errata work around for bnxt_re
      
         - Misuse of the workqueue API in hfi1
      
         - Protocol error in hfi1
      
         - Regression in 5.5 related to the mmap rework with i40iw"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        i40iw: Remove setting of VMA private data and use rdma_user_mmap_io
        IB/hfi1: Adjust flow PSN with the correct resync_psn
        IB/hfi1: Don't cancel unused work item
        RDMA/bnxt_re: Fix Send Work Entry state check while polling completions
        RDMA/bnxt_re: Avoid freeing MR resources if dereg fails
      5e7c1b75
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2020-01-09-1' of... · 023b3b0e
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2020-01-09-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Fix GitLab issue #446 causing GPU hangs: Do not restore invalid RS state
      - Fix GitLab issue #846: Restore coarse power gating that was disabled
        by initial RC66 context corruption security fixes.
      - Revert f6ec9483 ("drm/i915: extend audio CDCLK>=2*BCLK constraint to more platforms")
        to avoid screen flicker
      - Fix to fill in unitialized uabi_instance in virtual engine uAPI
      - Add two missing W/As for ICL and EHL
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200109133458.GA15558@jlahtine-desk.ger.corp.intel.com
      023b3b0e
  2. 09 Jan, 2020 17 commits
  3. 08 Jan, 2020 7 commits
    • Tuong Lien's avatar
      tipc: fix wrong connect() return code · 9546a0b7
      Tuong Lien authored
      The current 'tipc_wait_for_connect()' function does a wait-loop for the
      condition 'sk->sk_state != TIPC_CONNECTING' to conclude if the socket
      connecting has done. However, when the condition is met, it returns '0'
      even in the case the connecting is actually failed, the socket state is
      set to 'TIPC_DISCONNECTING' (e.g. when the server socket has closed..).
      This results in a wrong return code for the 'connect()' call from user,
      making it believe that the connection is established and go ahead with
      building, sending a message, etc. but finally failed e.g. '-EPIPE'.
      
      This commit fixes the issue by changing the wait condition to the
      'tipc_sk_connected(sk)', so the function will return '0' only when the
      connection is really established. Otherwise, either the socket 'sk_err'
      if any or '-ETIMEDOUT'/'-EINTR' will be returned correspondingly.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9546a0b7
    • Tuong Lien's avatar
      tipc: fix link overflow issue at socket shutdown · 49afb806
      Tuong Lien authored
      When a socket is suddenly shutdown or released, it will reject all the
      unreceived messages in its receive queue. This applies to a connected
      socket too, whereas there is only one 'FIN' message required to be sent
      back to its peer in this case.
      
      In case there are many messages in the queue and/or some connections
      with such messages are shutdown at the same time, the link layer will
      easily get overflowed at the 'TIPC_SYSTEM_IMPORTANCE' backlog level
      because of the message rejections. As a result, the link will be taken
      down. Moreover, immediately when the link is re-established, the socket
      layer can continue to reject the messages and the same issue happens...
      
      The commit refactors the '__tipc_shutdown()' function to only send one
      'FIN' in the situation mentioned above. For the connectionless case, it
      is unavoidable but usually there is no rejections for such socket
      messages because they are 'dest-droppable' by default.
      
      In addition, the new code makes the other socket states clear
      (e.g.'TIPC_LISTEN') and treats as a separate case to avoid misbehaving.
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarTuong Lien <tuong.t.lien@dektech.com.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      49afb806
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · b73a6561
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Missing netns context in arp_tables, from Florian Westphal.
      
      2) Underflow in flowtable reference counter, from wenxu.
      
      3) Fix incorrect ethernet destination address in flowtable offload,
         from wenxu.
      
      4) Check for status of neighbour entry, from wenxu.
      
      5) Fix NAT port mangling, from wenxu.
      
      6) Unbind callbacks from destroy path to cleanup hardware properly
         on flowtable removal.
      
      7) Fix missing casting statistics timestamp, add nf_flowtable_time_stamp
         and use it.
      
      8) NULL pointer exception when timeout argument is null in conntrack
         dccp and sctp protocol helpers, from Florian Westphal.
      
      9) Possible nul-dereference in ipset with IPSET_ATTR_LINENO, also from
         Florian.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b73a6561
    • Florian Westphal's avatar
      netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present · 22dad713
      Florian Westphal authored
      The set uadt functions assume lineno is never NULL, but it is in
      case of ip_set_utest().
      
      syzkaller managed to generate a netlink message that calls this with
      LINENO attr present:
      
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104
      Call Trace:
       ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867
       nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
       netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
       nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563
      
      pass a dummy lineno storage, its easier than patching all set
      implementations.
      
      This seems to be a day-0 bug.
      
      Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com
      Fixes: a7b4f989 ("netfilter: ipset: IP set core support")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      22dad713
    • Florian Westphal's avatar
      netfilter: conntrack: dccp, sctp: handle null timeout argument · 1d9a7acd
      Florian Westphal authored
      The timeout pointer can be NULL which means we should modify the
      per-nets timeout instead.
      
      All do this, except sctp and dccp which instead give:
      
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      net/netfilter/nf_conntrack_proto_dccp.c:682
       ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67
       cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368
       nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
       netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
      
      Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com
      Fixes: c779e849 ("netfilter: conntrack: remove get_timeout() indirection")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      1d9a7acd
    • Arnd Bergmann's avatar
      atm: eni: fix uninitialized variable warning · 30780d08
      Arnd Bergmann authored
      With -O3, gcc has found an actual unintialized variable stored
      into an mmio register in two instances:
      
      drivers/atm/eni.c: In function 'discard':
      drivers/atm/eni.c:465:13: error: 'dma[1]' is used uninitialized in this function [-Werror=uninitialized]
         writel(dma[i*2+1],eni_dev->rx_dma+dma_wr*8+4);
                   ^
      drivers/atm/eni.c:465:13: error: 'dma[3]' is used uninitialized in this function [-Werror=uninitialized]
      
      Change the code to always write zeroes instead.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      30780d08
    • Eric Dumazet's avatar
      macvlan: do not assume mac_header is set in macvlan_broadcast() · 96cc4b69
      Eric Dumazet authored
      Use of eth_hdr() in tx path is error prone.
      
      Many drivers call skb_reset_mac_header() before using it,
      but others do not.
      
      Commit 6d1ccff6 ("net: reset mac header in dev_start_xmit()")
      attempted to fix this generically, but commit d346a3fa
      ("packet: introduce PACKET_QDISC_BYPASS socket option") brought
      back the macvlan bug.
      
      Lets add a new helper, so that tx paths no longer have
      to call skb_reset_mac_header() only to get a pointer
      to skb->data.
      
      Hopefully we will be able to revert 6d1ccff6
      ("net: reset mac header in dev_start_xmit()") and save few cycles
      in transmit fast path.
      
      BUG: KASAN: use-after-free in __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
      BUG: KASAN: use-after-free in mc_hash drivers/net/macvlan.c:251 [inline]
      BUG: KASAN: use-after-free in macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
      Read of size 4 at addr ffff8880a4932401 by task syz-executor947/9579
      
      CPU: 0 PID: 9579 Comm: syz-executor947 Not tainted 5.5.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
       __get_unaligned_cpu32 include/linux/unaligned/packed_struct.h:19 [inline]
       mc_hash drivers/net/macvlan.c:251 [inline]
       macvlan_broadcast+0x547/0x620 drivers/net/macvlan.c:277
       macvlan_queue_xmit drivers/net/macvlan.c:520 [inline]
       macvlan_start_xmit+0x402/0x77f drivers/net/macvlan.c:559
       __netdev_start_xmit include/linux/netdevice.h:4447 [inline]
       netdev_start_xmit include/linux/netdevice.h:4461 [inline]
       dev_direct_xmit+0x419/0x630 net/core/dev.c:4079
       packet_direct_xmit+0x1a9/0x250 net/packet/af_packet.c:240
       packet_snd net/packet/af_packet.c:2966 [inline]
       packet_sendmsg+0x260d/0x6220 net/packet/af_packet.c:2991
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:659
       __sys_sendto+0x262/0x380 net/socket.c:1985
       __do_sys_sendto net/socket.c:1997 [inline]
       __se_sys_sendto net/socket.c:1993 [inline]
       __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1993
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x442639
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 5b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffc13549e08 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000442639
      RDX: 000000000000000e RSI: 0000000020000080 RDI: 0000000000000003
      RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
      R13: 0000000000403bb0 R14: 0000000000000000 R15: 0000000000000000
      
      Allocated by task 9389:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_kmalloc+0x9/0x10 mm/kasan/common.c:527
       __do_kmalloc mm/slab.c:3656 [inline]
       __kmalloc+0x163/0x770 mm/slab.c:3665
       kmalloc include/linux/slab.h:561 [inline]
       tomoyo_realpath_from_path+0xc5/0x660 security/tomoyo/realpath.c:252
       tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
       tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
       tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
       security_inode_getattr+0xf2/0x150 security/security.c:1222
       vfs_getattr+0x25/0x70 fs/stat.c:115
       vfs_statx_fd+0x71/0xc0 fs/stat.c:145
       vfs_fstat include/linux/fs.h:3265 [inline]
       __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
       __se_sys_newfstat fs/stat.c:375 [inline]
       __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 9389:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kfree+0x10a/0x2c0 mm/slab.c:3757
       tomoyo_realpath_from_path+0x1a7/0x660 security/tomoyo/realpath.c:289
       tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
       tomoyo_path_perm+0x230/0x430 security/tomoyo/file.c:822
       tomoyo_inode_getattr+0x1d/0x30 security/tomoyo/tomoyo.c:129
       security_inode_getattr+0xf2/0x150 security/security.c:1222
       vfs_getattr+0x25/0x70 fs/stat.c:115
       vfs_statx_fd+0x71/0xc0 fs/stat.c:145
       vfs_fstat include/linux/fs.h:3265 [inline]
       __do_sys_newfstat+0x9b/0x120 fs/stat.c:378
       __se_sys_newfstat fs/stat.c:375 [inline]
       __x64_sys_newfstat+0x54/0x80 fs/stat.c:375
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      The buggy address belongs to the object at ffff8880a4932000
       which belongs to the cache kmalloc-4k of size 4096
      The buggy address is located 1025 bytes inside of
       4096-byte region [ffff8880a4932000, ffff8880a4933000)
      The buggy address belongs to the page:
      page:ffffea0002924c80 refcount:1 mapcount:0 mapping:ffff8880aa402000 index:0x0 compound_mapcount: 0
      raw: 00fffe0000010200 ffffea0002846208 ffffea00028f3888 ffff8880aa402000
      raw: 0000000000000000 ffff8880a4932000 0000000100000001 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8880a4932300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880a4932380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff8880a4932400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
       ffff8880a4932480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8880a4932500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: b863ceb7 ("[NET]: Add macvlan driver")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      96cc4b69