1. 11 Feb, 2020 36 commits
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix endianess in descriptor validation · a46ebc21
      Takashi Iwai authored
      commit f8e5f90b upstream.
      
      I overlooked that some fields are words and need the converts from
      LE in the recently added USB descriptor validation code.
      This patch fixes those with the proper macro usages.
      
      Fixes: 57f87706 ("ALSA: usb-audio: More validations of descriptor units")
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200201080530.22390-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a46ebc21
    • Bryan O'Donoghue's avatar
      usb: gadget: f_ecm: Use atomic_t to track in-flight request · e3ed79d1
      Bryan O'Donoghue authored
      commit d710562e upstream.
      
      Currently ecm->notify_req is used to flag when a request is in-flight.
      ecm->notify_req is set to NULL and when a request completes it is
      subsequently reset.
      
      This is fundamentally buggy in that the unbind logic of the ECM driver will
      unconditionally free ecm->notify_req leading to a NULL pointer dereference.
      
      Fixes: da741b8c ("usb ethernet gadget: split CDC Ethernet function")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3ed79d1
    • Bryan O'Donoghue's avatar
      usb: gadget: f_ncm: Use atomic_t to track in-flight request · d1e5dcaf
      Bryan O'Donoghue authored
      commit 5b24c28c upstream.
      
      Currently ncm->notify_req is used to flag when a request is in-flight.
      ncm->notify_req is set to NULL and when a request completes it is
      subsequently reset.
      
      This is fundamentally buggy in that the unbind logic of the NCM driver will
      unconditionally free ncm->notify_req leading to a NULL pointer dereference.
      
      Fixes: 40d133d7 ("usb: gadget: f_ncm: convert to new function interface with backward compatibility")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarBryan O'Donoghue <bryan.odonoghue@linaro.org>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d1e5dcaf
    • Roger Quadros's avatar
      usb: gadget: legacy: set max_speed to super-speed · 0c26dfaf
      Roger Quadros authored
      commit 463f67ae upstream.
      
      These interfaces do support super-speed so let's not
      limit maximum speed to high-speed.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarFelipe Balbi <balbi@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0c26dfaf
    • Jun Li's avatar
      usb: typec: tcpci: mask event interrupts when remove driver · 1ee531e8
      Jun Li authored
      commit 3ba76256 upstream.
      
      This is to prevent any possible events generated while unregister
      tpcm port.
      
      Fixes: 74e656d6 ("staging: typec: Type-C Port Controller Interface driver (tcpci)")
      Signed-off-by: default avatarLi Jun <jun.li@nxp.com>
      Reviewed-by: default avatarHeikki Krogerus <heikki.krogerus@linux.intel.com>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Link: https://lore.kernel.org/r/1579502333-4145-1-git-send-email-jun.li@nxp.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ee531e8
    • Navid Emamdoost's avatar
      brcmfmac: Fix memory leak in brcmf_usbdev_qinit · 0eb1a435
      Navid Emamdoost authored
      commit 4282dc05 upstream.
      
      In the implementation of brcmf_usbdev_qinit() the allocated memory for
      reqs is leaking if usb_alloc_urb() fails. Release reqs in the error
      handling path.
      
      Fixes: 71bb244b ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0eb1a435
    • Eric Dumazet's avatar
      rcu: Avoid data-race in rcu_gp_fqs_check_wake() · 00b13445
      Eric Dumazet authored
      commit 6935c398 upstream.
      
      The rcu_gp_fqs_check_wake() function uses rcu_preempt_blocked_readers_cgp()
      to read ->gp_tasks while other cpus might overwrite this field.
      
      We need READ_ONCE()/WRITE_ONCE() pairs to avoid compiler
      tricks and KCSAN splats like the following :
      
      BUG: KCSAN: data-race in rcu_gp_fqs_check_wake / rcu_preempt_deferred_qs_irqrestore
      
      write to 0xffffffff85a7f190 of 8 bytes by task 7317 on cpu 0:
       rcu_preempt_deferred_qs_irqrestore+0x43d/0x580 kernel/rcu/tree_plugin.h:507
       rcu_read_unlock_special+0xec/0x370 kernel/rcu/tree_plugin.h:659
       __rcu_read_unlock+0xcf/0xe0 kernel/rcu/tree_plugin.h:394
       rcu_read_unlock include/linux/rcupdate.h:645 [inline]
       __ip_queue_xmit+0x3b0/0xa40 net/ipv4/ip_output.c:533
       ip_queue_xmit+0x45/0x60 include/net/ip.h:236
       __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158
       __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685
       tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691
       tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575
       tcp_recvmsg+0x633/0x1a30 net/ipv4/tcp.c:2179
       inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838
       sock_recvmsg_nosec net/socket.c:871 [inline]
       sock_recvmsg net/socket.c:889 [inline]
       sock_recvmsg+0x92/0xb0 net/socket.c:885
       sock_read_iter+0x15f/0x1e0 net/socket.c:967
       call_read_iter include/linux/fs.h:1864 [inline]
       new_sync_read+0x389/0x4f0 fs/read_write.c:414
      
      read to 0xffffffff85a7f190 of 8 bytes by task 10 on cpu 1:
       rcu_gp_fqs_check_wake kernel/rcu/tree.c:1556 [inline]
       rcu_gp_fqs_check_wake+0x93/0xd0 kernel/rcu/tree.c:1546
       rcu_gp_fqs_loop+0x36c/0x580 kernel/rcu/tree.c:1611
       rcu_gp_kthread+0x143/0x220 kernel/rcu/tree.c:1768
       kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 10 Comm: rcu_preempt Not tainted 5.3.0+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      [ paulmck:  Added another READ_ONCE() for RCU CPU stall warnings. ]
      Signed-off-by: default avatarPaul E. McKenney <paulmck@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      00b13445
    • Mathieu Desnoyers's avatar
      tracing: Fix sched switch start/stop refcount racy updates · 62bfa26e
      Mathieu Desnoyers authored
      commit 64ae572b upstream.
      
      Reading the sched_cmdline_ref and sched_tgid_ref initial state within
      tracing_start_sched_switch without holding the sched_register_mutex is
      racy against concurrent updates, which can lead to tracepoint probes
      being registered more than once (and thus trigger warnings within
      tracepoint.c).
      
      [ May be the fix for this bug ]
      Link: https://lore.kernel.org/r/000000000000ab6f84056c786b93@google.com
      
      Link: http://lkml.kernel.org/r/20190817141208.15226-1-mathieu.desnoyers@efficios.com
      
      Cc: stable@vger.kernel.org
      CC: Steven Rostedt (VMware) <rostedt@goodmis.org>
      CC: Joel Fernandes (Google) <joel@joelfernandes.org>
      CC: Peter Zijlstra <peterz@infradead.org>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Paul E. McKenney <paulmck@linux.ibm.com>
      Reported-by: syzbot+774fddf07b7ab29a1e55@syzkaller.appspotmail.com
      Fixes: d914ba37 ("tracing: Add support for recording tgid of tasks")
      Signed-off-by: default avatarMathieu Desnoyers <mathieu.desnoyers@efficios.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62bfa26e
    • Lu Shuaibing's avatar
      ipc/msg.c: consolidate all xxxctl_down() functions · 078dd732
      Lu Shuaibing authored
      commit 889b3317 upstream.
      
      A use of uninitialized memory in msgctl_down() because msqid64 in
      ksys_msgctl hasn't been initialized.  The local | msqid64 | is created in
      ksys_msgctl() and then passed into msgctl_down().  Along the way msqid64
      is never initialized before msgctl_down() checks msqid64->msg_qbytes.
      
      KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool)
      reports:
      
      ==================================================================
      BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300
      Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022
      
      CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      Call Trace:
       dump_stack+0x75/0xae
       __kumsan_report+0x17c/0x3e6
       kumsan_report+0xe/0x20
       msgctl_down+0x94/0x300
       ksys_msgctl.constprop.14+0xef/0x260
       do_syscall_64+0x7e/0x1f0
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x4400e9
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
      R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970
      R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x100000000000000()
      raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kumsan: bad access detected
      ==================================================================
      
      Syzkaller reproducer:
      msgctl$IPC_RMID(0x0, 0x0)
      
      C reproducer:
      // autogenerated by syzkaller (https://github.com/google/syzkaller)
      
      int main(void)
      {
        syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0);
        syscall(__NR_msgctl, 0, 0, 0);
        return 0;
      }
      
      [natechancellor@gmail.com: adjust indentation in ksys_msgctl]
        Link: https://github.com/ClangBuiltLinux/linux/issues/829
        Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com
      Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.comSigned-off-by: default avatarLu Shuaibing <shuaibinglu@126.com>
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Suggested-by: default avatarArnd Bergmann <arnd@arndb.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Manfred Spraul <manfred@colorfullife.com>
      Cc: NeilBrown <neilb@suse.com>
      From: Andrew Morton <akpm@linux-foundation.org>
      Subject: ipc/msg.c: consolidate all xxxctl_down() functions
      
      Each line here overflows 80 cols by exactly one character.  Delete one tab
      per line to fix.
      
      Cc: Shaohua Li <shli@fb.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      078dd732
    • Oliver Neukum's avatar
      mfd: dln2: More sanity checking for endpoints · f7d8f999
      Oliver Neukum authored
      commit 2b8bd606 upstream.
      
      It is not enough to check for the number of endpoints.
      The types must also be correct.
      
      Reported-and-tested-by: syzbot+48a2851be24583b864dc@syzkaller.appspotmail.com
      Signed-off-by: default avatarOliver Neukum <oneukum@suse.com>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLee Jones <lee.jones@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f7d8f999
    • Will Deacon's avatar
      media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors · 3ceb3fcd
      Will Deacon authored
      commit 68035c80 upstream.
      
      Way back in 2017, fuzzing the 4.14-rc2 USB stack with syzkaller kicked
      up the following WARNING from the UVC chain scanning code:
      
        | list_add double add: new=ffff880069084010, prev=ffff880069084010,
        | next=ffff880067d22298.
        | ------------[ cut here ]------------
        | WARNING: CPU: 1 PID: 1846 at lib/list_debug.c:31 __list_add_valid+0xbd/0xf0
        | Modules linked in:
        | CPU: 1 PID: 1846 Comm: kworker/1:2 Not tainted
        | 4.14.0-rc2-42613-g1488251d1a98 #238
        | Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
        | Workqueue: usb_hub_wq hub_event
        | task: ffff88006b01ca40 task.stack: ffff880064358000
        | RIP: 0010:__list_add_valid+0xbd/0xf0 lib/list_debug.c:29
        | RSP: 0018:ffff88006435ddd0 EFLAGS: 00010286
        | RAX: 0000000000000058 RBX: ffff880067d22298 RCX: 0000000000000000
        | RDX: 0000000000000058 RSI: ffffffff85a58800 RDI: ffffed000c86bbac
        | RBP: ffff88006435dde8 R08: 1ffff1000c86ba52 R09: 0000000000000000
        | R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069084010
        | R13: ffff880067d22298 R14: ffff880069084010 R15: ffff880067d222a0
        | FS:  0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000
        | CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        | CR2: 0000000020004ff2 CR3: 000000006b447000 CR4: 00000000000006e0
        | Call Trace:
        |  __list_add ./include/linux/list.h:59
        |  list_add_tail+0x8c/0x1b0 ./include/linux/list.h:92
        |  uvc_scan_chain_forward.isra.8+0x373/0x416
        | drivers/media/usb/uvc/uvc_driver.c:1471
        |  uvc_scan_chain drivers/media/usb/uvc/uvc_driver.c:1585
        |  uvc_scan_device drivers/media/usb/uvc/uvc_driver.c:1769
        |  uvc_probe+0x77f2/0x8f00 drivers/media/usb/uvc/uvc_driver.c:2104
      
      Looking into the output from usbmon, the interesting part is the
      following data packet:
      
        ffff880069c63e00 30710169 C Ci:1:002:0 0 143 = 09028f00 01030080
        00090403 00000e01 00000924 03000103 7c003328 010204db
      
      If we drop the lead configuration and interface descriptors, we're left
      with an output terminal descriptor describing a generic display:
      
        /* Output terminal descriptor */
        buf[0]	09
        buf[1]	24
        buf[2]	03	/* UVC_VC_OUTPUT_TERMINAL */
        buf[3]	00	/* ID */
        buf[4]	01	/* type == 0x0301 (UVC_OTT_DISPLAY) */
        buf[5]	03
        buf[6]	7c
        buf[7]	00	/* source ID refers to self! */
        buf[8]	33
      
      The problem with this descriptor is that it is self-referential: the
      source ID of 0 matches itself! This causes the 'struct uvc_entity'
      representing the display to be added to its chain list twice during
      'uvc_scan_chain()': once via 'uvc_scan_chain_entity()' when it is
      processed directly from the 'dev->entities' list and then again
      immediately afterwards when trying to follow the source ID in
      'uvc_scan_chain_forward()'
      
      Add a check before adding an entity to a chain list to ensure that the
      entity is not already part of a chain.
      
      Link: https://lore.kernel.org/linux-media/CAAeHK+z+Si69jUR+N-SjN9q4O+o5KFiNManqEa-PjUta7EOb7A@mail.gmail.com/
      
      Cc: <stable@vger.kernel.org>
      Fixes: c0efd232 ("V4L/DVB (8145a): USB Video Class driver")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ceb3fcd
    • David Howells's avatar
      rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect · 22779a27
      David Howells authored
      [ Upstream commit 5273a191 ]
      
      When a call is disconnected, the connection pointer from the call is
      cleared to make sure it isn't used again and to prevent further attempted
      transmission for the call.  Unfortunately, there might be a daemon trying
      to use it at the same time to transmit a packet.
      
      Fix this by keeping call->conn set, but setting a flag on the call to
      indicate disconnection instead.
      
      Remove also the bits in the transmission functions where the conn pointer is
      checked and a ref taken under spinlock as this is now redundant.
      
      Fixes: 8d94aa38 ("rxrpc: Calls shouldn't hold socket refs")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22779a27
    • David Howells's avatar
      rxrpc: Fix missing active use pinning of rxrpc_local object · a2562d42
      David Howells authored
      [ Upstream commit 04d36d74 ]
      
      The introduction of a split between the reference count on rxrpc_local
      objects and the usage count didn't quite go far enough.  A number of kernel
      work items need to make use of the socket to perform transmission.  These
      also need to get an active count on the local object to prevent the socket
      from being closed.
      
      Fix this by getting the active count in those places.
      
      Also split out the raw active count get/put functions as these places tend
      to hold refs on the rxrpc_local object already, so getting and putting an
      extra object ref is just a waste of time.
      
      The problem can lead to symptoms like:
      
          BUG: kernel NULL pointer dereference, address: 0000000000000018
          ..
          CPU: 2 PID: 818 Comm: kworker/u9:0 Not tainted 5.5.0-fscache+ #51
          ...
          RIP: 0010:selinux_socket_sendmsg+0x5/0x13
          ...
          Call Trace:
           security_socket_sendmsg+0x2c/0x3e
           sock_sendmsg+0x1a/0x46
           rxrpc_send_keepalive+0x131/0x1ae
           rxrpc_peer_keepalive_worker+0x219/0x34b
           process_one_work+0x18e/0x271
           worker_thread+0x1a3/0x247
           kthread+0xe6/0xeb
           ret_from_fork+0x1f/0x30
      
      Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2562d42
    • David Howells's avatar
      rxrpc: Fix insufficient receive notification generation · dba85332
      David Howells authored
      [ Upstream commit f71dbf2f ]
      
      In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
      number of the packet is immediately following the hard-ack point at the end
      of the function.  However, this isn't sufficient, since the recvmsg side
      may have been advancing the window and then overrun the position in which
      we're adding - at which point rx_hard_ack >= seq0 and no notification is
      generated.
      
      Fix this by always generating a notification at the end of the input
      function.
      
      Without this, a long call may stall, possibly indefinitely.
      
      Fixes: 248f219c ("rxrpc: Rewrite the data and ack handling code")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dba85332
    • David Howells's avatar
      rxrpc: Fix use-after-free in rxrpc_put_local() · 85c45a48
      David Howells authored
      [ Upstream commit fac20b9e ]
      
      Fix rxrpc_put_local() to not access local->debug_id after calling
      atomic_dec_return() as, unless that returned n==0, we no longer have the
      right to access the object.
      
      Fixes: 06d9532f ("rxrpc: Fix read-after-free in rxrpc_queue_local()")
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85c45a48
    • Eric Dumazet's avatar
      tcp: clear tp->segs_{in|out} in tcp_disconnect() · 7e23f798
      Eric Dumazet authored
      [ Upstream commit 784f8344 ]
      
      tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 2efd055c ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Marcelo Ricardo Leitner <mleitner@redhat.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e23f798
    • Eric Dumazet's avatar
      tcp: clear tp->data_segs{in|out} in tcp_disconnect() · 57542c05
      Eric Dumazet authored
      [ Upstream commit db7ffee6 ]
      
      tp->data_segs_in and tp->data_segs_out need to be cleared
      in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: a44d6eac ("tcp: Add RFC4898 tcpEStatsPerfDataSegsOut/In")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      57542c05
    • Eric Dumazet's avatar
      tcp: clear tp->delivered in tcp_disconnect() · 2d4bec3b
      Eric Dumazet authored
      [ Upstream commit 2fbdd562 ]
      
      tp->delivered needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: ddf1af6f ("tcp: new delivery accounting")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Yuchung Cheng <ycheng@google.com>
      Cc: Neal Cardwell <ncardwell@google.com>
      Acked-by: default avatarYuchung Cheng <ycheng@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d4bec3b
    • Eric Dumazet's avatar
      tcp: clear tp->total_retrans in tcp_disconnect() · 4206e664
      Eric Dumazet authored
      [ Upstream commit c13c48c0 ]
      
      total_retrans needs to be cleared in tcp_disconnect().
      
      tcp_disconnect() is rarely used, but it is worth fixing it.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: SeongJae Park <sjpark@amazon.de>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4206e664
    • Michael Chan's avatar
      bnxt_en: Fix TC queue mapping. · e7ec10b4
      Michael Chan authored
      [ Upstream commit 18e4960c ]
      
      The driver currently only calls netdev_set_tc_queue when the number of
      TCs is greater than 1.  Instead, the comparison should be greater than
      or equal to 1.  Even with 1 TC, we need to set the queue mapping.
      
      This bug can cause warnings when the number of TCs is changed back to 1.
      
      Fixes: 7809592d ("bnxt_en: Enable MSIX early in bnxt_init_one().")
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7ec10b4
    • Nicolin Chen's avatar
      net: stmmac: Delete txtimer in suspend() · 0529d1ea
      Nicolin Chen authored
      [ Upstream commit 14b41a29 ]
      
      When running v5.5 with a rootfs on NFS, memory abort may happen in
      the system resume stage:
       Unable to handle kernel paging request at virtual address dead00000000012a
       [dead00000000012a] address between user and kernel address ranges
       pc : run_timer_softirq+0x334/0x3d8
       lr : run_timer_softirq+0x244/0x3d8
       x1 : ffff800011cafe80 x0 : dead000000000122
       Call trace:
        run_timer_softirq+0x334/0x3d8
        efi_header_end+0x114/0x234
        irq_exit+0xd0/0xd8
        __handle_domain_irq+0x60/0xb0
        gic_handle_irq+0x58/0xa8
        el1_irq+0xb8/0x180
        arch_cpu_idle+0x10/0x18
        do_idle+0x1d8/0x2b0
        cpu_startup_entry+0x24/0x40
        secondary_start_kernel+0x1b4/0x208
       Code: f9000693 a9400660 f9000020 b4000040 (f9000401)
       ---[ end trace bb83ceeb4c482071 ]---
       Kernel panic - not syncing: Fatal exception in interrupt
       SMP: stopping secondary CPUs
       SMP: failed to stop secondary CPUs 2-3
       Kernel Offset: disabled
       CPU features: 0x00002,2300aa30
       Memory Limit: none
       ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      It's found that stmmac_xmit() and stmmac_resume() sometimes might
      run concurrently, possibly resulting in a race condition between
      mod_timer() and setup_timer(), being called by stmmac_xmit() and
      stmmac_resume() respectively.
      
      Since the resume() runs setup_timer() every time, it'd be safer to
      have del_timer_sync() in the suspend() as the counterpart.
      Signed-off-by: default avatarNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0529d1ea
    • Cong Wang's avatar
      net_sched: fix an OOB access in cls_tcindex · 478c4b2f
      Cong Wang authored
      [ Upstream commit 599be01e ]
      
      As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash
      to compute the size of memory allocation, but cp->hash is
      set again after the allocation, this caused an out-of-bound
      access.
      
      So we have to move all cp->hash initialization and computation
      before the memory allocation. Move cp->mask and cp->shift together
      as cp->hash may need them for computation too.
      
      Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com
      Fixes: 331b7292 ("net: sched: RCU cls_tcindex")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      478c4b2f
    • Eric Dumazet's avatar
      net: hsr: fix possible NULL deref in hsr_handle_frame() · d5524d5a
      Eric Dumazet authored
      [ Upstream commit 2b5b8251 ]
      
      hsr_port_get_rcu() can return NULL, so we need to be careful.
      
      general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN
      KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037]
      CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
      RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44
      Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f
      RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33
      RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000
      RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c
      R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e
      R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8
      FS:  00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <IRQ>
       hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31
       __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099
       __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196
       __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312
       process_backlog+0x206/0x750 net/core/dev.c:6144
       napi_poll net/core/dev.c:6582 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6650
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082
       </IRQ>
      
      Fixes: c5a75911 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d5524d5a
    • Ridge Kennedy's avatar
      l2tp: Allow duplicate session creation with UDP · f0af9cd8
      Ridge Kennedy authored
      [ Upstream commit 0d0d9a38 ]
      
      In the past it was possible to create multiple L2TPv3 sessions with the
      same session id as long as the sessions belonged to different tunnels.
      The resulting sessions had issues when used with IP encapsulated tunnels,
      but worked fine with UDP encapsulated ones. Some applications began to
      rely on this behaviour to avoid having to negotiate unique session ids.
      
      Some time ago a change was made to require session ids to be unique across
      all tunnels, breaking the applications making use of this "feature".
      
      This change relaxes the duplicate session id check to allow duplicates
      if both of the colliding sessions belong to UDP encapsulated tunnels.
      
      Fixes: dbdbc73b ("l2tp: fix duplicate session creation")
      Signed-off-by: default avatarRidge Kennedy <ridge.kennedy@alliedtelesis.co.nz>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0af9cd8
    • Taehee Yoo's avatar
      gtp: use __GFP_NOWARN to avoid memalloc warning · f2f39420
      Taehee Yoo authored
      [ Upstream commit bd5cd35b ]
      
      gtp hashtable size is received by user-space.
      So, this hashtable size could be too large. If so, kmalloc will internally
      print a warning message.
      This warning message is actually not necessary for the gtp module.
      So, this patch adds __GFP_NOWARN to avoid this message.
      
      Splat looks like:
      [ 2171.200049][ T1860] WARNING: CPU: 1 PID: 1860 at mm/page_alloc.c:4713 __alloc_pages_nodemask+0x2f3/0x740
      [ 2171.238885][ T1860] Modules linked in: gtp veth openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv]
      [ 2171.262680][ T1860] CPU: 1 PID: 1860 Comm: gtp-link Not tainted 5.5.0+ #321
      [ 2171.263567][ T1860] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [ 2171.264681][ T1860] RIP: 0010:__alloc_pages_nodemask+0x2f3/0x740
      [ 2171.265332][ T1860] Code: 64 fe ff ff 65 48 8b 04 25 c0 0f 02 00 48 05 f0 12 00 00 41 be 01 00 00 00 49 89 47 0
      [ 2171.267301][ T1860] RSP: 0018:ffff8880b51af1f0 EFLAGS: 00010246
      [ 2171.268320][ T1860] RAX: ffffed1016a35e43 RBX: 0000000000000000 RCX: 0000000000000000
      [ 2171.269517][ T1860] RDX: 0000000000000000 RSI: 000000000000000b RDI: 0000000000000000
      [ 2171.270305][ T1860] RBP: 0000000000040cc0 R08: ffffed1018893109 R09: dffffc0000000000
      [ 2171.275973][ T1860] R10: 0000000000000001 R11: ffffed1018893108 R12: 1ffff11016a35e43
      [ 2171.291039][ T1860] R13: 000000000000000b R14: 000000000000000b R15: 00000000000f4240
      [ 2171.292328][ T1860] FS:  00007f53cbc83740(0000) GS:ffff8880da000000(0000) knlGS:0000000000000000
      [ 2171.293409][ T1860] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2171.294586][ T1860] CR2: 000055f540014508 CR3: 00000000b49f2004 CR4: 00000000000606e0
      [ 2171.295424][ T1860] Call Trace:
      [ 2171.295756][ T1860]  ? mark_held_locks+0xa5/0xe0
      [ 2171.296659][ T1860]  ? __alloc_pages_slowpath+0x21b0/0x21b0
      [ 2171.298283][ T1860]  ? gtp_encap_enable_socket+0x13e/0x400 [gtp]
      [ 2171.298962][ T1860]  ? alloc_pages_current+0xc1/0x1a0
      [ 2171.299475][ T1860]  kmalloc_order+0x22/0x80
      [ 2171.299936][ T1860]  kmalloc_order_trace+0x1d/0x140
      [ 2171.300437][ T1860]  __kmalloc+0x302/0x3a0
      [ 2171.300896][ T1860]  gtp_newlink+0x293/0xba0 [gtp]
      [ ... ]
      
      Fixes: 459aa660 ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f2f39420
    • Eric Dumazet's avatar
      cls_rsvp: fix rsvp_policy · 1cb578dc
      Eric Dumazet authored
      [ Upstream commit cb3c0e6b ]
      
      NLA_BINARY can be confusing, since .len value represents
      the max size of the blob.
      
      cls_rsvp really wants user space to provide long enough data
      for TCA_RSVP_DST and TCA_RSVP_SRC attributes.
      
      BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline]
      BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline]
      BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
      CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       rsvp_get net/sched/cls_rsvp.h:258 [inline]
       gen_handle net/sched/cls_rsvp.h:402 [inline]
       rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572
       tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104
       rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
       netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45b349
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2774 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
       netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:639 [inline]
       sock_sendmsg net/socket.c:659 [inline]
       ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
       ___sys_sendmsg net/socket.c:2384 [inline]
       __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
       __do_sys_sendmsg net/socket.c:2426 [inline]
       __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 6fa8c014 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cb578dc
    • Arnd Bergmann's avatar
      sparc32: fix struct ipc64_perm type definition · 9e154752
      Arnd Bergmann authored
      [ Upstream commit 34ca70ef ]
      
      As discussed in the strace issue tracker, it appears that the sparc32
      sysvipc support has been broken for the past 11 years. It was however
      working in compat mode, which is how it must have escaped most of the
      regular testing.
      
      The problem is that a cleanup patch inadvertently changed the uid/gid
      fields in struct ipc64_perm from 32-bit types to 16-bit types in uapi
      headers.
      
      Both glibc and uclibc-ng still use the original types, so they should
      work fine with compat mode, but not natively.  Change the definitions
      to use __kernel_uid32_t and __kernel_gid32_t again.
      
      Fixes: 83c86984 ("sparc: unify ipcbuf.h")
      Link: https://github.com/strace/strace/issues/116
      Cc: <stable@vger.kernel.org> # v2.6.29
      Cc: Sam Ravnborg <sam@ravnborg.org>
      Cc: "Dmitry V . Levin" <ldv@altlinux.org>
      Cc: Rich Felker <dalias@libc.org>
      Cc: libc-alpha@sourceware.org
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9e154752
    • Luca Coelho's avatar
      iwlwifi: mvm: fix NVM check for 3168 devices · 9940e10d
      Luca Coelho authored
      [ Upstream commit b3f20e09 ]
      
      We had a check on !NVM_EXT and then a check for NVM_SDP in the else
      block of this if.  The else block, obviously, could only be reached if
      using NVM_EXT, so it would never be NVM_SDP.
      
      Fix that by checking whether the nvm_type is IWL_NVM instead of
      checking for !IWL_NVM_EXT to solve this issue.
      Reported-by: default avatarStefan Sperling <stsp@stsp.name>
      Signed-off-by: default avatarLuca Coelho <luciano.coelho@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      9940e10d
    • John Ogness's avatar
      printk: fix exclusive_console replaying · 8360063b
      John Ogness authored
      [ Upstream commit def97da1 ]
      
      Commit f92b070f ("printk: Do not miss new messages when replaying
      the log") introduced a new variable @exclusive_console_stop_seq to
      store when an exclusive console should stop printing. It should be
      set to the @console_seq value at registration. However, @console_seq
      is previously set to @syslog_seq so that the exclusive console knows
      where to begin. This results in the exclusive console immediately
      reactivating all the other consoles and thus repeating the messages
      for those consoles.
      
      Set @console_seq after @exclusive_console_stop_seq has stored the
      current @console_seq value.
      
      Fixes: f92b070f ("printk: Do not miss new messages when replaying the log")
      Link: http://lkml.kernel.org/r/20191219115322.31160-1-john.ogness@linutronix.de
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarJohn Ogness <john.ogness@linutronix.de>
      Acked-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8360063b
    • Jan Kara's avatar
      udf: Allow writing to 'Rewritable' partitions · 97bc3b7d
      Jan Kara authored
      [ Upstream commit 15fb05fd ]
      
      UDF 2.60 standard states in section 2.2.14.2:
      
          A partition with Access Type 3 (rewritable) shall define a Freed
          Space Bitmap or a Freed Space Table, see 2.3.3. All other partitions
          shall not define a Freed Space Bitmap or a Freed Space Table.
      
          Rewritable partitions are used on media that require some form of
          preprocessing before re-writing data (for example legacy MO). Such
          partitions shall use Access Type 3.
      
          Overwritable partitions are used on media that do not require
          preprocessing before overwriting data (for example: CD-RW, DVD-RW,
          DVD+RW, DVD-RAM, BD-RE, HD DVD-Rewritable). Such partitions shall
          use Access Type 4.
      
      however older versions of the standard didn't have this wording and
      there are tools out there that create UDF filesystems with rewritable
      partitions but that don't contain a Freed Space Bitmap or a Freed Space
      Table on media that does not require pre-processing before overwriting a
      block. So instead of forcing media with rewritable partition read-only,
      base this decision on presence of a Freed Space Bitmap or a Freed Space
      Table.
      Reported-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Reviewed-by: default avatarPali Rohár <pali.rohar@gmail.com>
      Fixes: b085fbe2 ("udf: Fix crash during mount")
      Link: https://lore.kernel.org/linux-fsdevel/20200112144735.hj2emsoy4uwsouxz@paliSigned-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      97bc3b7d
    • Pawan Gupta's avatar
      x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR · 218ab8f8
      Pawan Gupta authored
      [ Upstream commit 5efc6fa9 ]
      
      /proc/cpuinfo currently reports Hardware Lock Elision (HLE) feature to
      be present on boot cpu even if it was disabled during the bootup. This
      is because cpuinfo_x86->x86_capability HLE bit is not updated after TSX
      state is changed via the new MSR IA32_TSX_CTRL.
      
      Update the cached HLE bit also since it is expected to change after an
      update to CPUID_CLEAR bit in MSR IA32_TSX_CTRL.
      
      Fixes: 95c5824f ("x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default")
      Signed-off-by: default avatarPawan Gupta <pawan.kumar.gupta@linux.intel.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Tested-by: default avatarNeelima Krishnan <neelima.krishnan@intel.com>
      Reviewed-by: default avatarDave Hansen <dave.hansen@linux.intel.com>
      Reviewed-by: default avatarJosh Poimboeuf <jpoimboe@redhat.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/2529b99546294c893dfa1c89e2b3e46da3369a59.1578685425.git.pawan.kumar.gupta@linux.intel.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      218ab8f8
    • Gang He's avatar
      ocfs2: fix oops when writing cloned file · e31057d4
      Gang He authored
      [ Upstream commit 2d797e9f ]
      
      Writing a cloned file triggers a kernel oops and the user-space command
      process is also killed by the system.  The bug can be reproduced stably
      via:
      
      1) create a file under ocfs2 file system directory.
      
        journalctl -b > aa.txt
      
      2) create a cloned file for this file.
      
        reflink aa.txt bb.txt
      
      3) write the cloned file with dd command.
      
        dd if=/dev/zero of=bb.txt bs=512 count=1 conv=notrunc
      
      The dd command is killed by the kernel, then you can see the oops message
      via dmesg command.
      
      [  463.875404] BUG: kernel NULL pointer dereference, address: 0000000000000028
      [  463.875413] #PF: supervisor read access in kernel mode
      [  463.875416] #PF: error_code(0x0000) - not-present page
      [  463.875418] PGD 0 P4D 0
      [  463.875425] Oops: 0000 [#1] SMP PTI
      [  463.875431] CPU: 1 PID: 2291 Comm: dd Tainted: G           OE     5.3.16-2-default
      [  463.875433] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
      [  463.875500] RIP: 0010:ocfs2_refcount_cow+0xa4/0x5d0 [ocfs2]
      [  463.875505] Code: 06 89 6c 24 38 89 eb f6 44 24 3c 02 74 be 49 8b 47 28
      [  463.875508] RSP: 0018:ffffa2cb409dfce8 EFLAGS: 00010202
      [  463.875512] RAX: ffff8b1ebdca8000 RBX: 0000000000000001 RCX: ffff8b1eb73a9df0
      [  463.875515] RDX: 0000000000056a01 RSI: 0000000000000000 RDI: 0000000000000000
      [  463.875517] RBP: 0000000000000001 R08: ffff8b1eb73a9de0 R09: 0000000000000000
      [  463.875520] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
      [  463.875522] R13: ffff8b1eb922f048 R14: 0000000000000000 R15: ffff8b1eb922f048
      [  463.875526] FS:  00007f8f44d15540(0000) GS:ffff8b1ebeb00000(0000) knlGS:0000000000000000
      [  463.875529] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  463.875532] CR2: 0000000000000028 CR3: 000000003c17a000 CR4: 00000000000006e0
      [  463.875546] Call Trace:
      [  463.875596]  ? ocfs2_inode_lock_full_nested+0x18b/0x960 [ocfs2]
      [  463.875648]  ocfs2_file_write_iter+0xaf8/0xc70 [ocfs2]
      [  463.875672]  new_sync_write+0x12d/0x1d0
      [  463.875688]  vfs_write+0xad/0x1a0
      [  463.875697]  ksys_write+0xa1/0xe0
      [  463.875710]  do_syscall_64+0x60/0x1f0
      [  463.875743]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  463.875758] RIP: 0033:0x7f8f4482ed44
      [  463.875762] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 80 00 00 00
      [  463.875765] RSP: 002b:00007fff300a79d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      [  463.875769] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8f4482ed44
      [  463.875771] RDX: 0000000000000200 RSI: 000055f771b5c000 RDI: 0000000000000001
      [  463.875774] RBP: 0000000000000200 R08: 00007f8f44af9c78 R09: 0000000000000003
      [  463.875776] R10: 000000000000089f R11: 0000000000000246 R12: 000055f771b5c000
      [  463.875779] R13: 0000000000000200 R14: 0000000000000000 R15: 000055f771b5c000
      
      This regression problem was introduced by commit e74540b2 ("ocfs2:
      protect extent tree in ocfs2_prepare_inode_for_write()").
      
      Link: http://lkml.kernel.org/r/20200121050153.13290-1-ghe@suse.com
      Fixes: e74540b2 ("ocfs2: protect extent tree in ocfs2_prepare_inode_for_write()").
      Signed-off-by: default avatarGang He <ghe@suse.com>
      Reviewed-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e31057d4
    • Johan Hovold's avatar
      media: iguanair: fix endpoint sanity check · df3eb85b
      Johan Hovold authored
      [ Upstream commit 1b257870 ]
      
      Make sure to use the current alternate setting, which need not be the
      first one by index, when verifying the endpoint descriptors and
      initialising the URBs.
      
      Failing to do so could cause the driver to misbehave or trigger a WARN()
      in usb_submit_urb() that kernels with panic_on_warn set would choke on.
      
      Fixes: 26ff6313 ("[media] Add support for the IguanaWorks USB IR Transceiver")
      Fixes: ab1cbdf1 ("media: iguanair: add sanity checks")
      Cc: stable <stable@vger.kernel.org>     # 3.6
      Cc: Oliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarSean Young <sean@mess.org>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+huawei@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      df3eb85b
    • YueHaibing's avatar
      kernel/module: Fix memleak in module_add_modinfo_attrs() · bdfaaf35
      YueHaibing authored
      [ Upstream commit f6d061d6 ]
      
      In module_add_modinfo_attrs() if sysfs_create_file() fails
      on the first iteration of the loop (so i = 0), we forget to
      free the modinfo_attrs.
      
      Fixes: bc6f2a75 ("kernel/module: Fix mem leak in module_add_modinfo_attrs")
      Reviewed-by: default avatarMiroslav Benes <mbenes@suse.cz>
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bdfaaf35
    • Miklos Szeredi's avatar
      ovl: fix lseek overflow on 32bit · 4f98fe43
      Miklos Szeredi authored
      [ Upstream commit a4ac9d45 ]
      
      ovl_lseek() is using ssize_t to return the value from vfs_llseek().  On a
      32-bit kernel ssize_t is a 32-bit signed int, which overflows above 2 GB.
      
      Assign the return value of vfs_llseek() to loff_t to fix this.
      Reported-by: default avatarBoris Gjenero <boris.gjenero@gmail.com>
      Fixes: 9e46b840 ("ovl: support stacked SEEK_HOLE/SEEK_DATA")
      Cc: <stable@vger.kernel.org> # v4.19
      Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4f98fe43
    • Icenowy Zheng's avatar
      Revert "drm/sun4i: dsi: Change the start delay calculation" · 41be0c32
      Icenowy Zheng authored
      [ Upstream commit a00d17e0 ]
      
      This reverts commit da676c6a.
      
      The original commit adds a start parameter to the calculation of the
      start delay according to some old BSP versions from Allwinner. However,
      there're two ways to add this delay -- add it in DSI controller or add
      it in the TCON. Add it in both controllers won't work.
      
      The code before this commit is picked from new versions of BSP kernel,
      which has a comment for the 1 that says "put start_delay to tcon". By
      checking the sun4i_tcon0_mode_set_cpu() in sun4i_tcon driver, it has
      already added this delay, so we shouldn't repeat to add the delay in DSI
      controller, otherwise the timing won't match.
      Signed-off-by: default avatarIcenowy Zheng <icenowy@aosc.io>
      Reviewed-by: default avatarJagan Teki <jagan@amarulasolutions.com>
      Signed-off-by: default avatarMaxime Ripard <mripard@kernel.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191001080253.6135-2-icenowy@aosc.ioSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      41be0c32
  2. 05 Feb, 2020 4 commits