1. 03 Jul, 2018 29 commits
    • Eric W. Biederman's avatar
      signal/xtensa: Consistenly use SIGBUS in do_unaligned_user · b7b02571
      Eric W. Biederman authored
      commit 7de712cc upstream.
      
      While working on changing this code to use force_sig_fault I
      discovered that do_unaliged_user is sets si_signo to SIGBUS and passes
      SIGSEGV to force_sig_info.  Which is just b0rked.
      
      The code is reporting a SIGBUS error so replace the SIGSEGV with SIGBUS.
      
      Cc: Chris Zankel <chris@zankel.net>
      Cc: Max Filippov <jcmvbkbc@gmail.com>
      Cc: linux-xtensa@linux-xtensa.org
      Cc: stable@vger.kernel.org
      Acked-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Fixes: 5a0015d6 ("[PATCH] xtensa: Architecture support for Tensilica Xtensa Part 3")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b7b02571
    • Daniel Wagner's avatar
      serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version · 62b192d7
      Daniel Wagner authored
      commit 8afb1d2c upstream.
      
      Commit 40f70c03 ("serial: sh-sci: add locking to console write
      function to avoid SMP lockup") copied the strategy to avoid locking
      problems in conjuncture with the console from the UART8250
      driver. Instead using directly spin_{try}lock_irqsave(),
      local_irq_save() followed by spin_{try}lock() was used. While this is
      correct on mainline, for -rt it is a problem. spin_{try}lock() will
      check if it is running in a valid context. Since the local_irq_save()
      has already been executed, the context has changed and
      spin_{try}lock() will complain. The reason why spin_{try}lock()
      complains is that on -rt the spin locks are turned into mutexes and
      therefore can sleep. Sleeping with interrupts disabled is not valid.
      
      BUG: sleeping function called from invalid context at /home/wagi/work/rt/v4.4-cip-rt/kernel/locking/rtmutex.c:995
      in_atomic(): 0, irqs_disabled(): 128, pid: 778, name: irq/76-eth0
      CPU: 0 PID: 778 Comm: irq/76-eth0 Not tainted 4.4.126-test-cip22-rt14-00403-gcd03665c8318 #12
      Hardware name: Generic RZ/G1 (Flattened Device Tree)
      Backtrace:
      [<c00140a0>] (dump_backtrace) from [<c001424c>] (show_stack+0x18/0x1c)
       r7:c06b01f0 r6:60010193 r5:00000000 r4:c06b01f0
      [<c0014234>] (show_stack) from [<c01d3c94>] (dump_stack+0x78/0x94)
      [<c01d3c1c>] (dump_stack) from [<c004c134>] (___might_sleep+0x134/0x194)
       r7:60010113 r6:c06d3559 r5:00000000 r4:ffffe000
      [<c004c000>] (___might_sleep) from [<c04ded60>] (rt_spin_lock+0x20/0x74)
       r5:c06f4d60 r4:c06f4d60
      [<c04ded40>] (rt_spin_lock) from [<c02577e4>] (serial_console_write+0x100/0x118)
       r5:c06f4d60 r4:c06f4d60
      [<c02576e4>] (serial_console_write) from [<c0061060>] (call_console_drivers.constprop.15+0x10c/0x124)
       r10:c06d2894 r9:c04e18b0 r8:00000028 r7:00000000 r6:c06d3559 r5:c06d2798
       r4:c06b9914 r3:c02576e4
      [<c0060f54>] (call_console_drivers.constprop.15) from [<c0062984>] (console_unlock+0x32c/0x430)
       r10:c06d30d8 r9:00000028 r8:c06dd518 r7:00000005 r6:00000000 r5:c06d2798
       r4:c06d2798 r3:00000028
      [<c0062658>] (console_unlock) from [<c0062e1c>] (vprintk_emit+0x394/0x4f0)
       r10:c06d2798 r9:c06d30ee r8:00000006 r7:00000005 r6:c06a78fc r5:00000027
       r4:00000003
      [<c0062a88>] (vprintk_emit) from [<c0062fa0>] (vprintk+0x28/0x30)
       r10:c060bd46 r9:00001000 r8:c06b9a90 r7:c06b9a90 r6:c06b994c r5:c06b9a3c
       r4:c0062fa8
      [<c0062f78>] (vprintk) from [<c0062fb8>] (vprintk_default+0x10/0x14)
      [<c0062fa8>] (vprintk_default) from [<c009cd30>] (printk+0x78/0x84)
      [<c009ccbc>] (printk) from [<c025afdc>] (credit_entropy_bits+0x17c/0x2cc)
       r3:00000001 r2:decade60 r1:c061a5ee r0:c061a523
       r4:00000006
      [<c025ae60>] (credit_entropy_bits) from [<c025bf74>] (add_interrupt_randomness+0x160/0x178)
       r10:466e7196 r9:1f536000 r8:fffeef74 r7:00000000 r6:c06b9a60 r5:c06b9a3c
       r4:dfbcf680
      [<c025be14>] (add_interrupt_randomness) from [<c006536c>] (irq_thread+0x1e8/0x248)
       r10:c006537c r9:c06cdf21 r8:c0064fcc r7:df791c24 r6:df791c00 r5:ffffe000
       r4:df525180
      [<c0065184>] (irq_thread) from [<c003fba4>] (kthread+0x108/0x11c)
       r10:00000000 r9:00000000 r8:c0065184 r7:df791c00 r6:00000000 r5:df791d00
       r4:decac000
      [<c003fa9c>] (kthread) from [<c00101b8>] (ret_from_fork+0x14/0x3c)
       r8:00000000 r7:00000000 r6:00000000 r5:c003fa9c r4:df791d00
      
      Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarDaniel Wagner <daniel.wagner@siemens.com>
      Reviewed-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      [dw: Backported to 4.4.]
      Signed-off-by: default avatarDaniel Wagner <daniel.wagner@siemens.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62b192d7
    • Michael Schmitz's avatar
      m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap() · af0825dc
      Michael Schmitz authored
      commit 3f90f9ef upstream.
      
      If 020/030 support is enabled, get_io_area() leaves an IO_SIZE gap
      between mappings which is added to the vm_struct representing the
      mapping.  __ioremap() uses the actual requested size (after alignment),
      while __iounmap() is passed the size from the vm_struct.
      
      On 020/030, early termination descriptors are used to set up mappings of
      extent 'size', which are validated on unmapping. The unmapped gap of
      size IO_SIZE defeats the sanity check of the pmd tables, causing
      __iounmap() to loop forever on 030.
      
      On 040/060, unmapping of page table entries does not check for a valid
      mapping, so the umapping loop always completes there.
      
      Adjust size to be unmapped by the gap that had been added in the
      vm_struct prior.
      
      This fixes the hang in atari_platform_init() reported a long time ago,
      and a similar one reported by Finn recently (addressed by removing
      ioremap() use from the SWIM driver.
      
      Tested on my Falcon in 030 mode - untested but should work the same on
      040/060 (the extra page tables cleared there would never have been set
      up anyway).
      Signed-off-by: default avatarMichael Schmitz <schmitzmic@gmail.com>
      [geert: Minor commit description improvements]
      [geert: This was fixed in 2.4.23, but not in 2.5.x]
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af0825dc
    • Dan Williams's avatar
      x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec() · 5bfdf361
      Dan Williams authored
      commit eab6870f upstream.
      
      Mark Rutland noticed that GCC optimization passes have the potential to elide
      necessary invocations of the array_index_mask_nospec() instruction sequence,
      so mark the asm() volatile.
      
      Mark explains:
      
      "The volatile will inhibit *some* cases where the compiler could lift the
       array_index_nospec() call out of a branch, e.g. where there are multiple
       invocations of array_index_nospec() with the same arguments:
      
              if (idx < foo) {
                      idx1 = array_idx_nospec(idx, foo)
                      do_something(idx1);
              }
      
              < some other code >
      
              if (idx < foo) {
                      idx2 = array_idx_nospec(idx, foo);
                      do_something_else(idx2);
              }
      
       ... since the compiler can determine that the two invocations yield the same
       result, and reuse the first result (likely the same register as idx was in
       originally) for the second branch, effectively re-writing the above as:
      
              if (idx < foo) {
                      idx = array_idx_nospec(idx, foo);
                      do_something(idx);
              }
      
              < some other code >
      
              if (idx < foo) {
                      do_something_else(idx);
              }
      
       ... if we don't take the first branch, then speculatively take the second, we
       lose the nospec protection.
      
       There's more info on volatile asm in the GCC docs:
      
         https://gcc.gnu.org/onlinedocs/gcc/Extended-Asm.html#Volatile
       "
      Reported-by: default avatarMark Rutland <mark.rutland@arm.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Acked-by: default avatarMark Rutland <mark.rutland@arm.com>
      Acked-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Acked-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Fixes: babdde26 ("x86: Implement array_index_mask_nospec")
      Link: https://lkml.kernel.org/lkml/152838798950.14521.4893346294059739135.stgit@dwillia2-desk3.amr.corp.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5bfdf361
    • Thadeu Lima de Souza Cascardo's avatar
      fs/binfmt_misc.c: do not allow offset overflow · 300288ed
      Thadeu Lima de Souza Cascardo authored
      commit 5cc41e09 upstream.
      
      WHen registering a new binfmt_misc handler, it is possible to overflow
      the offset to get a negative value, which might crash the system, or
      possibly leak kernel data.
      
      Here is a crash log when 2500000000 was used as an offset:
      
        BUG: unable to handle kernel paging request at ffff989cfd6edca0
        IP: load_misc_binary+0x22b/0x470 [binfmt_misc]
        PGD 1ef3e067 P4D 1ef3e067 PUD 0
        Oops: 0000 [#1] SMP NOPTI
        Modules linked in: binfmt_misc kvm_intel ppdev kvm irqbypass joydev input_leds serio_raw mac_hid parport_pc qemu_fw_cfg parpy
        CPU: 0 PID: 2499 Comm: bash Not tainted 4.15.0-22-generic #24-Ubuntu
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.1-1 04/01/2014
        RIP: 0010:load_misc_binary+0x22b/0x470 [binfmt_misc]
        Call Trace:
          search_binary_handler+0x97/0x1d0
          do_execveat_common.isra.34+0x667/0x810
          SyS_execve+0x31/0x40
          do_syscall_64+0x73/0x130
          entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Use kstrtoint instead of simple_strtoul.  It will work as the code
      already set the delimiter byte to '\0' and we only do it when the field
      is not empty.
      
      Tested with offsets -1, 2500000000, UINT_MAX and INT_MAX.  Also tested
      with examples documented at Documentation/admin-guide/binfmt-misc.rst
      and other registrations from packages on Ubuntu.
      
      Link: http://lkml.kernel.org/r/20180529135648.14254-1-cascardo@canonical.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@canonical.com>
      Reviewed-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      300288ed
    • Stefan Potyra's avatar
      w1: mxc_w1: Enable clock before calling clk_get_rate() on it · 7d49aed9
      Stefan Potyra authored
      commit 955bc613 upstream.
      
      According to the API, you may only call clk_get_rate() after actually
      enabling it.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      
      Fixes: a5fd9139 ("w1: add 1-wire master driver for i.MX27 / i.MX31")
      Signed-off-by: default avatarStefan Potyra <Stefan.Potyra@elektrobit.com>
      Acked-by: default avatarEvgeniy Polyakov <zbr@ioremap.net>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d49aed9
    • Hans de Goede's avatar
      libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk · e2f88572
      Hans de Goede authored
      commit 2cfce3a8 upstream.
      
      Commit 184add2c ("libata: Apply NOLPM quirk for SanDisk
      SD7UB3Q*G1001 SSDs") disabled LPM for SanDisk SD7UB3Q*G1001 SSDs.
      
      This has lead to several reports of users of that SSD where LPM
      was working fine and who know have a significantly increased idle
      power consumption on their laptops.
      
      Likely there is another problem on the T450s from the original
      reporter which gets exposed by the uncore reaching deeper sleep
      states (higher PC-states) due to LPM being enabled. The problem as
      reported, a hardfreeze about once a day, already did not sound like
      it would be caused by LPM and the reports of the SSD working fine
      confirm this. The original reporter is ok with dropping the quirk.
      
      A X250 user has reported the same hard freeze problem and for him
      the problem went away after unrelated updates, I suspect some GPU
      driver stack changes fixed things.
      
      TL;DR: The original reporters problem were triggered by LPM but not
      an LPM issue, so drop the quirk for the SSD in question.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1583207
      Cc: stable@vger.kernel.org
      Cc: Richard W.M. Jones <rjones@redhat.com>
      Cc: Lorenzo Dalrio <lorenzo.dalrio@gmail.com>
      Reported-by: default avatarLorenzo Dalrio <lorenzo.dalrio@gmail.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Acked-by: default avatar"Richard W.M. Jones" <rjones@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2f88572
    • Dan Carpenter's avatar
      libata: zpodd: small read overflow in eject_tray() · 132ec5db
      Dan Carpenter authored
      commit 18c9a99b upstream.
      
      We read from the cdb[] buffer in ata_exec_internal_sg().  It has to be
      ATAPI_CDB_LEN (16) bytes long, but this buffer is only 12 bytes.
      
      Fixes: 21334205 ("libata: handle power transition of ODD")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      132ec5db
    • Colin Ian King's avatar
      libata: zpodd: make arrays cdb static, reduces object code size · cbb55b97
      Colin Ian King authored
      commit 795ef788 upstream.
      
      Don't populate the arrays cdb on the stack, instead make them static.
      Makes the object code smaller by 230 bytes:
      
      Before:
         text	   data	    bss	    dec	    hex	filename
         3797	    240	      0	   4037	    fc5	drivers/ata/libata-zpodd.o
      
      After:
         text	   data	    bss	    dec	    hex	filename
         3407	    400	      0	   3807	    edf	drivers/ata/libata-zpodd.o
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbb55b97
    • Tao Wang's avatar
      cpufreq: Fix new policy initialization during limits updates via sysfs · 6f5edfa5
      Tao Wang authored
      commit c7d1f119 upstream.
      
      If the policy limits are updated via cpufreq_update_policy() and
      subsequently via sysfs, the limits stored in user_policy may be
      set incorrectly.
      
      For example, if both min and max are set via sysfs to the maximum
      available frequency, user_policy.min and user_policy.max will also
      be the maximum.  If a policy notifier triggered by
      cpufreq_update_policy() lowers both the min and the max at this
      point, that change is not reflected by the user_policy limits, so
      if the max is updated again via sysfs to the same lower value,
      then user_policy.max will be lower than user_policy.min which
      shouldn't happen.  In particular, if one of the policy CPUs is
      then taken offline and back online, cpufreq_set_policy() will
      fail for it due to a failing limits check.
      
      To prevent that from happening, initialize the min and max fields
      of the new_policy object to the ones stored in user_policy that
      were previously set via sysfs.
      Signed-off-by: default avatarKevin Wangtao <kevin.wangtao@hisilicon.com>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      [ rjw: Subject & changelog ]
      Cc: All applicable <stable@vger.kernel.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f5edfa5
    • Dennis Wassenberg's avatar
      ALSA: hda: add dock and led support for HP ProBook 640 G4 · a8f007c1
      Dennis Wassenberg authored
      commit 7eef32c1 upstream.
      
      This patch adds missing initialisation for HP 2013 UltraSlim Dock
      Line-In/Out PINs and activates keyboard mute/micmute leds
      for HP ProBook 640 G4
      Signed-off-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8f007c1
    • Dennis Wassenberg's avatar
      ALSA: hda: add dock and led support for HP EliteBook 830 G5 · 4f88763c
      Dennis Wassenberg authored
      commit 2861751f upstream.
      
      This patch adds missing initialisation for HP 2013 UltraSlim Dock
      Line-In/Out PINs and activates keyboard mute/micmute leds
      for HP EliteBook 830 G5
      Signed-off-by: default avatarDennis Wassenberg <dennis.wassenberg@secunet.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f88763c
    • Bo Chen's avatar
      ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() · 9f1592e4
      Bo Chen authored
      commit a3aa60d5 upstream.
      
      When 'kzalloc()' fails in 'snd_hda_attach_pcm_stream()', a new pcm instance is
      created without setting its operators via 'snd_pcm_set_ops()'. Following
      operations on the new pcm instance can trigger kernel null pointer dereferences
      and cause kernel oops.
      
      This bug was found with my work on building a gray-box fault-injection tool for
      linux-kernel-module binaries. A kernel null pointer dereference was confirmed
      from line 'substream->ops->open()' in function 'snd_pcm_open_substream()' in
      file 'sound/core/pcm_native.c'.
      
      This patch fixes the bug by calling 'snd_device_free()' in the error handling
      path of 'kzalloc()', which removes the new pcm instance from the snd card before
      returns with an error code.
      Signed-off-by: default avatarBo Chen <chenbo@pdx.edu>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f1592e4
    • Qu Wenruo's avatar
      btrfs: scrub: Don't use inode pages for device replace · d85feb42
      Qu Wenruo authored
      commit ac0b4145 upstream.
      
      [BUG]
      Btrfs can create compressed extent without checksum (even though it
      shouldn't), and if we then try to replace device containing such extent,
      the result device will contain all the uncompressed data instead of the
      compressed one.
      
      Test case already submitted to fstests:
      https://patchwork.kernel.org/patch/10442353/
      
      [CAUSE]
      When handling compressed extent without checksum, device replace will
      goe into copy_nocow_pages() function.
      
      In that function, btrfs will get all inodes referring to this data
      extents and then use find_or_create_page() to get pages direct from that
      inode.
      
      The problem here is, pages directly from inode are always uncompressed.
      And for compressed data extent, they mismatch with on-disk data.
      Thus this leads to corrupted compressed data extent written to replace
      device.
      
      [FIX]
      In this attempt, we could just remove the "optimization" branch, and let
      unified scrub_pages() to handle it.
      
      Although scrub_pages() won't bother reusing page cache, it will be a
      little slower, but it does the correct csum checking and won't cause
      such data corruption caused by "optimization".
      
      Note about the fix: this is the minimal fix that can be backported to
      older stable trees without conflicts. The whole callchain from
      copy_nocow_pages() can be deleted, and will be in followup patches.
      
      Fixes: ff023aac ("Btrfs: add code to scrub to copy read data to another disk")
      CC: stable@vger.kernel.org # 4.4+
      Reported-by: default avatarJames Harvey <jamespharvey20@gmail.com>
      Reviewed-by: default avatarJames Harvey <jamespharvey20@gmail.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      [ remove code removal, add note why ]
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d85feb42
    • Tetsuo Handa's avatar
      driver core: Don't ignore class_dir_create_and_add() failure. · e05dd564
      Tetsuo Handa authored
      commit 84d0c27d upstream.
      
      syzbot is hitting WARN() at kernfs_add_one() [1].
      This is because kernfs_create_link() is confused by previous device_add()
      call which continued without setting dev->kobj.parent field when
      get_device_parent() failed by memory allocation fault injection.
      Fix this by propagating the error from class_dir_create_and_add() to
      the calllers of get_device_parent().
      
      [1] https://syzkaller.appspot.com/bug?id=fae0fb607989ea744526d1c082a5b8de6529116fSigned-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+df47f81c226b31d89fb1@syzkaller.appspotmail.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e05dd564
    • Jan Kara's avatar
      ext4: fix fencepost error in check for inode count overflow during resize · f444af38
      Jan Kara authored
      commit 4f2f76f7 upstream.
      
      ext4_resize_fs() has an off-by-one bug when checking whether growing of
      a filesystem will not overflow inode count. As a result it allows a
      filesystem with 8192 inodes per group to grow to 64TB which overflows
      inode count to 0 and makes filesystem unusable. Fix it.
      
      Cc: stable@vger.kernel.org
      Fixes: 3f8a6411Reported-by: default avatarJaco Kroon <jaco@uls.co.za>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f444af38
    • Lukas Czerner's avatar
      ext4: update mtime in ext4_punch_hole even if no blocks are released · 0a986b27
      Lukas Czerner authored
      commit eee597ac upstream.
      
      Currently in ext4_punch_hole we're going to skip the mtime update if
      there are no actual blocks to release. However we've actually modified
      the file by zeroing the partial block so the mtime should be updated.
      
      Moreover the sync and datasync handling is skipped as well, which is
      also wrong. Fix it.
      Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
      Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Reported-by: default avatarJoe Habermann <joe.habermann@quantum.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a986b27
    • Frank van der Linden's avatar
      tcp: verify the checksum of the first data segment in a new connection · 48ffbdea
      Frank van der Linden authored
      [ Upstream commit 4fd44a98 ]
      
      commit 079096f1 ("tcp/dccp: install syn_recv requests into ehash
      table") introduced an optimization for the handling of child sockets
      created for a new TCP connection.
      
      But this optimization passes any data associated with the last ACK of the
      connection handshake up the stack without verifying its checksum, because it
      calls tcp_child_process(), which in turn calls tcp_rcv_state_process()
      directly.  These lower-level processing functions do not do any checksum
      verification.
      
      Insert a tcp_checksum_complete call in the TCP_NEW_SYN_RECEIVE path to
      fix this.
      
      Fixes: 079096f1 ("tcp/dccp: install syn_recv requests into ehash table")
      Signed-off-by: default avatarFrank van der Linden <fllinden@amazon.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Tested-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Reviewed-by: default avatarBalbir Singh <bsingharora@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      48ffbdea
    • Xiangning Yu's avatar
      bonding: re-evaluate force_primary when the primary slave name changes · b397cdd8
      Xiangning Yu authored
      [ Upstream commit eb55bbf8 ]
      
      There is a timing issue under active-standy mode, when bond_enslave() is
      called, bond->params.primary might not be initialized yet.
      
      Any time the primary slave string changes, bond->force_primary should be
      set to true to make sure the primary becomes the active slave.
      Signed-off-by: default avatarXiangning Yu <yuxiangning@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b397cdd8
    • Daniel Glöckner's avatar
      usb: musb: fix remote wakeup racing with suspend · 4c22010c
      Daniel Glöckner authored
      [ Upstream commit ebc3dd68 ]
      
      It has been observed that writing 0xF2 to the power register while it
      reads as 0xF4 results in the register having the value 0xF0, i.e. clearing
      RESUME and setting SUSPENDM in one go does not work. It might also violate
      the USB spec to transition directly from resume to suspend, especially
      when not taking T_DRSMDN into account. But this is what happens when a
      remote wakeup occurs between SetPortFeature USB_PORT_FEAT_SUSPEND on the
      root hub and musb_bus_suspend being called.
      
      This commit returns -EBUSY when musb_bus_suspend is called while remote
      wakeup is signalled and thus avoids to reset the RESUME bit. Ignoring
      this error when musb_port_suspend is called from musb_hub_control is ok.
      Signed-off-by: default avatarDaniel Glöckner <dg@emlix.com>
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c22010c
    • Liu Bo's avatar
      Btrfs: make raid6 rebuild retry more · b988ed89
      Liu Bo authored
      [ Upstream commit 8810f751 ]
      
      There is a scenario that can end up with rebuild process failing to
      return good content, i.e.
      suppose that all disks can be read without problems and if the content
      that was read out doesn't match its checksum, currently for raid6
      btrfs at most retries twice,
      
      - the 1st retry is to rebuild with all other stripes, it'll eventually
        be a raid5 xor rebuild,
      - if the 1st fails, the 2nd retry will deliberately fail parity p so
        that it will do raid6 style rebuild,
      
      however, the chances are that another non-parity stripe content also
      has something corrupted, so that the above retries are not able to
      return correct content, and users will think of this as data loss.
      More seriouly, if the loss happens on some important internal btree
      roots, it could refuse to mount.
      
      This extends btrfs to do more retries and each retry fails only one
      stripe.  Since raid6 can tolerate 2 disk failures, if there is one
      more failure besides the failure on which we're recovering, this can
      always work.
      
      The worst case is to retry as many times as the number of raid6 disks,
      but given the fact that such a scenario is really rare in practice,
      it's still acceptable.
      Signed-off-by: default avatarLiu Bo <bo.li.liu@oracle.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b988ed89
    • Eric Dumazet's avatar
      tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() · 4dff9792
      Eric Dumazet authored
      commit 02db5571 upstream.
      
      While rcvbuf is properly clamped by tcp_rmem[2], rcvwin
      is left to a potentially too big value.
      
      It has no serious effect, since :
      1) tcp_grow_window() has very strict checks.
      2) window_clamp can be mangled by user space to any value anyway.
      
      tcp_init_buffer_space() and companions use tcp_full_space(),
      we use tcp_win_from_space() to avoid reloading sk->sk_rcvbuf
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Acked-by: default avatarWei Wang <weiwan@google.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Cc: Benjamin Gilbert <benjamin.gilbert@coreos.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4dff9792
    • Sasha Levin's avatar
      Revert "Btrfs: fix scrub to repair raid6 corruption" · 2cb1b603
      Sasha Levin authored
      This reverts commit 95b286da.
      
      This commit used an incorrect log message.
      Reported-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2cb1b603
    • Finn Thain's avatar
      net/sonic: Use dma_mapping_error() · 05be10a1
      Finn Thain authored
      [ Upstream commit 26de0b76 ]
      
      With CONFIG_DMA_API_DEBUG=y, calling sonic_open() produces the
      message, "DMA-API: device driver failed to check map error".
      Add the missing dma_mapping_error() call.
      
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Acked-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05be10a1
    • Josh Hill's avatar
      net: qmi_wwan: Add Netgear Aircard 779S · 8a6677e9
      Josh Hill authored
      [ Upstream commit 2415f3bd ]
      
      Add support for Netgear Aircard 779S
      Signed-off-by: default avatarJosh Hill <josh@joshuajhill.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a6677e9
    • Ivan Bornyakov's avatar
      atm: zatm: fix memcmp casting · acf477d5
      Ivan Bornyakov authored
      [ Upstream commit f9c6442a ]
      
      memcmp() returns int, but eprom_try_esi() cast it to unsigned char. One
      can lose significant bits and get 0 from non-0 value returned by the
      memcmp().
      Signed-off-by: default avatarIvan Bornyakov <brnkv.i1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acf477d5
    • Julian Anastasov's avatar
      ipvs: fix buffer overflow with sync daemon and service · 24a04933
      Julian Anastasov authored
      [ Upstream commit 52f96757 ]
      
      syzkaller reports for buffer overflow for interface name
      when starting sync daemons [1]
      
      What we do is that we copy user structure into larger stack
      buffer but later we search NUL past the stack buffer.
      The same happens for sched_name when adding/editing virtual server.
      
      We are restricted by IP_VS_SCHEDNAME_MAXLEN and IP_VS_IFNAME_MAXLEN
      being used as size in include/uapi/linux/ip_vs.h, so they
      include the space for NUL.
      
      As using strlcpy is wrong for unsafe source, replace it with
      strscpy and add checks to return EINVAL if source string is not
      NUL-terminated. The incomplete strlcpy fix comes from 2.6.13.
      
      For the netlink interface reduce the len parameter for
      IPVS_DAEMON_ATTR_MCAST_IFN and IPVS_SVC_ATTR_SCHED_NAME,
      so that we get proper EINVAL.
      
      [1]
      kernel BUG at lib/string.c:1052!
      invalid opcode: 0000 [#1] SMP KASAN
      Dumping ftrace buffer:
          (ftrace buffer empty)
      Modules linked in:
      CPU: 1 PID: 373 Comm: syz-executor936 Not tainted 4.17.0-rc4+ #45
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      RIP: 0010:fortify_panic+0x13/0x20 lib/string.c:1051
      RSP: 0018:ffff8801c976f800 EFLAGS: 00010282
      RAX: 0000000000000022 RBX: 0000000000000040 RCX: 0000000000000000
      RDX: 0000000000000022 RSI: ffffffff8160f6f1 RDI: ffffed00392edef6
      RBP: ffff8801c976f800 R08: ffff8801cf4c62c0 R09: ffffed003b5e4fb0
      R10: ffffed003b5e4fb0 R11: ffff8801daf27d87 R12: ffff8801c976fa20
      R13: ffff8801c976fae4 R14: ffff8801c976fae0 R15: 000000000000048b
      FS:  00007fd99f75e700(0000) GS:ffff8801daf00000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000200001c0 CR3: 00000001d6843000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
        strlen include/linux/string.h:270 [inline]
        strlcpy include/linux/string.h:293 [inline]
        do_ip_vs_set_ctl+0x31c/0x1d00 net/netfilter/ipvs/ip_vs_ctl.c:2388
        nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
        nf_setsockopt+0x7d/0xd0 net/netfilter/nf_sockopt.c:115
        ip_setsockopt+0xd8/0xf0 net/ipv4/ip_sockglue.c:1253
        udp_setsockopt+0x62/0xa0 net/ipv4/udp.c:2487
        ipv6_setsockopt+0x149/0x170 net/ipv6/ipv6_sockglue.c:917
        tcp_setsockopt+0x93/0xe0 net/ipv4/tcp.c:3057
        sock_common_setsockopt+0x9a/0xe0 net/core/sock.c:3046
        __sys_setsockopt+0x1bd/0x390 net/socket.c:1903
        __do_sys_setsockopt net/socket.c:1914 [inline]
        __se_sys_setsockopt net/socket.c:1911 [inline]
        __x64_sys_setsockopt+0xbe/0x150 net/socket.c:1911
        do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x447369
      RSP: 002b:00007fd99f75dda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
      RAX: ffffffffffffffda RBX: 00000000006e39e4 RCX: 0000000000447369
      RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000018 R09: 0000000000000000
      R10: 00000000200001c0 R11: 0000000000000246 R12: 00000000006e39e0
      R13: 75a1ff93f0896195 R14: 6f745f3168746576 R15: 0000000000000001
      Code: 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 0f 0b 48 89 df e8 d2 8f 48 fa eb
      de 55 48 89 fe 48 c7 c7 60 65 64 88 48 89 e5 e8 91 dd f3 f9 <0f> 0b 90 90
      90 90 90 90 90 90 90 90 90 55 48 89 e5 41 57 41 56
      RIP: fortify_panic+0x13/0x20 lib/string.c:1051 RSP: ffff8801c976f800
      
      Reported-and-tested-by: syzbot+aac887f77319868646df@syzkaller.appspotmail.com
      Fixes: e4ff6751 ("ipvs: add sync_maxlen parameter for the sync daemon")
      Fixes: 4da62fc7 ("[IPVS]: Fix for overflows")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24a04933
    • Paolo Abeni's avatar
      netfilter: ebtables: handle string from userspace with care · ab0b00d4
      Paolo Abeni authored
      [ Upstream commit 94c752f9 ]
      
      strlcpy() can't be safely used on a user-space provided string,
      as it can try to read beyond the buffer's end, if the latter is
      not NULL terminated.
      
      Leveraging the above, syzbot has been able to trigger the following
      splat:
      
      BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300
      [inline]
      BUG: KASAN: stack-out-of-bounds in compat_mtw_from_user
      net/bridge/netfilter/ebtables.c:1957 [inline]
      BUG: KASAN: stack-out-of-bounds in ebt_size_mwt
      net/bridge/netfilter/ebtables.c:2059 [inline]
      BUG: KASAN: stack-out-of-bounds in size_entry_mwt
      net/bridge/netfilter/ebtables.c:2155 [inline]
      BUG: KASAN: stack-out-of-bounds in compat_copy_entries+0x96c/0x14a0
      net/bridge/netfilter/ebtables.c:2194
      Write of size 33 at addr ffff8801b0abf888 by task syz-executor0/4504
      
      CPU: 0 PID: 4504 Comm: syz-executor0 Not tainted 4.17.0-rc2+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x1b9/0x294 lib/dump_stack.c:113
        print_address_description+0x6c/0x20b mm/kasan/report.c:256
        kasan_report_error mm/kasan/report.c:354 [inline]
        kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
        check_memory_region_inline mm/kasan/kasan.c:260 [inline]
        check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
        memcpy+0x37/0x50 mm/kasan/kasan.c:303
        strlcpy include/linux/string.h:300 [inline]
        compat_mtw_from_user net/bridge/netfilter/ebtables.c:1957 [inline]
        ebt_size_mwt net/bridge/netfilter/ebtables.c:2059 [inline]
        size_entry_mwt net/bridge/netfilter/ebtables.c:2155 [inline]
        compat_copy_entries+0x96c/0x14a0 net/bridge/netfilter/ebtables.c:2194
        compat_do_replace+0x483/0x900 net/bridge/netfilter/ebtables.c:2285
        compat_do_ebt_set_ctl+0x2ac/0x324 net/bridge/netfilter/ebtables.c:2367
        compat_nf_sockopt net/netfilter/nf_sockopt.c:144 [inline]
        compat_nf_setsockopt+0x9b/0x140 net/netfilter/nf_sockopt.c:156
        compat_ip_setsockopt+0xff/0x140 net/ipv4/ip_sockglue.c:1279
        inet_csk_compat_setsockopt+0x97/0x120 net/ipv4/inet_connection_sock.c:1041
        compat_tcp_setsockopt+0x49/0x80 net/ipv4/tcp.c:2901
        compat_sock_common_setsockopt+0xb4/0x150 net/core/sock.c:3050
        __compat_sys_setsockopt+0x1ab/0x7c0 net/compat.c:403
        __do_compat_sys_setsockopt net/compat.c:416 [inline]
        __se_compat_sys_setsockopt net/compat.c:413 [inline]
        __ia32_compat_sys_setsockopt+0xbd/0x150 net/compat.c:413
        do_syscall_32_irqs_on arch/x86/entry/common.c:323 [inline]
        do_fast_syscall_32+0x345/0xf9b arch/x86/entry/common.c:394
        entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7fb3cb9
      RSP: 002b:00000000fff0c26c EFLAGS: 00000282 ORIG_RAX: 000000000000016e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000000080 RSI: 0000000020000300 RDI: 00000000000005f4
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      The buggy address belongs to the page:
      page:ffffea0006c2afc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x2fffc0000000000()
      raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffffea0006c20101 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Fix the issue replacing the unsafe function with strscpy() and
      taking care of possible errors.
      
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Reported-and-tested-by: syzbot+4e42a04e0bc33cb6c087@syzkaller.appspotmail.com
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ab0b00d4
    • Eric Dumazet's avatar
      xfrm6: avoid potential infinite loop in _decode_session6() · 5a38892d
      Eric Dumazet authored
      [ Upstream commit d9f92772 ]
      
      syzbot found a way to trigger an infinitie loop by overflowing
      @offset variable that has been forced to use u16 for some very
      obscure reason in the past.
      
      We probably want to look at NEXTHDR_FRAGMENT handling which looks
      wrong, in a separate patch.
      
      In net-next, we shall try to use skb_header_pointer() instead of
      pskb_may_pull().
      
      watchdog: BUG: soft lockup - CPU#1 stuck for 134s! [syz-executor738:4553]
      Modules linked in:
      irq event stamp: 13885653
      hardirqs last  enabled at (13885652): [<ffffffff878009d5>] restore_regs_and_return_to_kernel+0x0/0x2b
      hardirqs last disabled at (13885653): [<ffffffff87800905>] interrupt_entry+0xb5/0xf0 arch/x86/entry/entry_64.S:625
      softirqs last  enabled at (13614028): [<ffffffff84df0809>] tun_napi_alloc_frags drivers/net/tun.c:1478 [inline]
      softirqs last  enabled at (13614028): [<ffffffff84df0809>] tun_get_user+0x1dd9/0x4290 drivers/net/tun.c:1825
      softirqs last disabled at (13614032): [<ffffffff84df1b6f>] tun_get_user+0x313f/0x4290 drivers/net/tun.c:1942
      CPU: 1 PID: 4553 Comm: syz-executor738 Not tainted 4.17.0-rc3+ #40
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:check_kcov_mode kernel/kcov.c:67 [inline]
      RIP: 0010:__sanitizer_cov_trace_pc+0x20/0x50 kernel/kcov.c:101
      RSP: 0018:ffff8801d8cfe250 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
      RAX: ffff8801d88a8080 RBX: ffff8801d7389e40 RCX: 0000000000000006
      RDX: 0000000000000000 RSI: ffffffff868da4ad RDI: ffff8801c8a53277
      RBP: ffff8801d8cfe250 R08: ffff8801d88a8080 R09: ffff8801d8cfe3e8
      R10: ffffed003b19fc87 R11: ffff8801d8cfe43f R12: ffff8801c8a5327f
      R13: 0000000000000000 R14: ffff8801c8a4e5fe R15: ffff8801d8cfe3e8
      FS:  0000000000d88940(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffff600400 CR3: 00000001acab3000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       _decode_session6+0xc1d/0x14f0 net/ipv6/xfrm6_policy.c:150
       __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2368
       xfrm_decode_session_reverse include/net/xfrm.h:1213 [inline]
       icmpv6_route_lookup+0x395/0x6e0 net/ipv6/icmp.c:372
       icmp6_send+0x1982/0x2da0 net/ipv6/icmp.c:551
       icmpv6_send+0x17a/0x300 net/ipv6/ip6_icmp.c:43
       ip6_input_finish+0x14e1/0x1a30 net/ipv6/ip6_input.c:305
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ip6_input+0xe1/0x5e0 net/ipv6/ip6_input.c:327
       dst_input include/net/dst.h:450 [inline]
       ip6_rcv_finish+0x29c/0xa10 net/ipv6/ip6_input.c:71
       NF_HOOK include/linux/netfilter.h:288 [inline]
       ipv6_rcv+0xeb8/0x2040 net/ipv6/ip6_input.c:208
       __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
       __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
       netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
       napi_frags_finish net/core/dev.c:5226 [inline]
       napi_gro_frags+0x631/0xc40 net/core/dev.c:5299
       tun_get_user+0x3168/0x4290 drivers/net/tun.c:1951
       tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:1996
       call_write_iter include/linux/fs.h:1784 [inline]
       do_iter_readv_writev+0x859/0xa50 fs/read_write.c:680
       do_iter_write+0x185/0x5f0 fs/read_write.c:959
       vfs_writev+0x1c7/0x330 fs/read_write.c:1004
       do_writev+0x112/0x2f0 fs/read_write.c:1039
       __do_sys_writev fs/read_write.c:1112 [inline]
       __se_sys_writev fs/read_write.c:1109 [inline]
       __x64_sys_writev+0x75/0xb0 fs/read_write.c:1109
       do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Steffen Klassert <steffen.klassert@secunet.com>
      Cc: Nicolas Dichtel <nicolas.dichtel@6wind.com>
      Reported-by: syzbot+0053c8...@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <alexander.levin@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a38892d
  2. 16 Jun, 2018 11 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.4.138 · 0bd2bedb
      Greg Kroah-Hartman authored
      0bd2bedb
    • Michael Ellerman's avatar
      crypto: vmx - Remove overly verbose printk from AES init routines · 5635242c
      Michael Ellerman authored
      commit 1411b521 upstream.
      
      In the vmx AES init routines we do a printk(KERN_INFO ...) to report
      the fallback implementation we're using.
      
      However with a slow console this can significantly affect the speed of
      crypto operations. Using 'cryptsetup benchmark' the removal of the
      printk() leads to a ~5x speedup for aes-cbc decryption.
      
      So remove them.
      
      Fixes: 8676590a ("crypto: vmx - Adding AES routines for VMX module")
      Fixes: 8c755ace ("crypto: vmx - Adding CBC routines for VMX module")
      Fixes: 4f7f60d3 ("crypto: vmx - Adding CTR routines for VMX module")
      Fixes: cc333cd6 ("crypto: vmx - Adding GHASH routines for VMX module")
      Cc: stable@vger.kernel.org # v4.1+
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5635242c
    • Johannes Wienke's avatar
      Input: elan_i2c - add ELAN0612 (Lenovo v330 14IKB) ACPI ID · 47d1aa22
      Johannes Wienke authored
      commit e6e7e9cd upstream.
      
      Add ELAN0612 to the list of supported touchpads; this ID is used in Lenovo
      v330 14IKB devices.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=199253Signed-off-by: default avatarJohannes Wienke <languitar@semipol.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47d1aa22
    • Ethan Lee's avatar
      Input: goodix - add new ACPI id for GPD Win 2 touch screen · 646dbf05
      Ethan Lee authored
      commit 5ca4d1ae upstream.
      
      GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp
      
      Tested on a unit from the first production run sent to Indiegogo backers
      Signed-off-by: default avatarEthan Lee <flibitijibibo@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      646dbf05
    • Paolo Bonzini's avatar
      kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access · 25bdf080
      Paolo Bonzini authored
      commit 3c9fa24c upstream.
      
      The functions that were used in the emulation of fxrstor, fxsave, sgdt and
      sidt were originally meant for task switching, and as such they did not
      check privilege levels.  This is very bad when the same functions are used
      in the emulation of unprivileged instructions.  This is CVE-2018-10853.
      
      The obvious fix is to add a new argument to ops->read_std and ops->write_std,
      which decides whether the access is a "system" access or should use the
      processor's CPL.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25bdf080
    • Gil Kupfer's avatar
      vmw_balloon: fixing double free when batching mode is off · b13b60e8
      Gil Kupfer authored
      commit b23220fe upstream.
      
      The balloon.page field is used for two different purposes if batching is
      on or off. If batching is on, the field point to the page which is used
      to communicate with with the hypervisor. If it is off, balloon.page
      points to the page that is about to be (un)locked.
      
      Unfortunately, this dual-purpose of the field introduced a bug: when the
      balloon is popped (e.g., when the machine is reset or the balloon driver
      is explicitly removed), the balloon driver frees, unconditionally, the
      page that is held in balloon.page.  As a result, if batching is
      disabled, this leads to double freeing the last page that is sent to the
      hypervisor.
      
      The following error occurs during rmmod when kernel checkers are on, and
      the balloon is not empty:
      
      [   42.307653] ------------[ cut here ]------------
      [   42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable]
      [   42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
      [   42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi
      [   42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5
      [   42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016
      [   42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000
      [   42.313290] RIP: 0010:__free_pages+0x38/0x40
      [   42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246
      [   42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006
      [   42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0
      [   42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000
      [   42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4
      [   42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200
      [   42.314550] FS:  00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000
      [   42.314599] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0
      [   42.314864] Call Trace:
      [   42.315774]  vmballoon_pop+0x102/0x130 [vmw_balloon]
      [   42.315816]  vmballoon_exit+0x42/0xd64 [vmw_balloon]
      [   42.315853]  SyS_delete_module+0x1e2/0x250
      [   42.315891]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [   42.315924] RIP: 0033:0x7f3af5b0e8e7
      [   42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [   42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7
      [   42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248
      [   42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [   42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130
      [   42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0
      [   42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48
      [   42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98
      [   42.325735] ---[ end trace 872e008e33f81508 ]---
      
      To solve the bug, we eliminate the dual purpose of balloon.page.
      
      Fixes: f220a80f ("VMware balloon: add batching to the vmw_balloon.")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarOleksandr Natalenko <onatalen@redhat.com>
      Signed-off-by: default avatarGil Kupfer <gilkup@gmail.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Reviewed-by: default avatarXavier Deguillard <xdeguillard@vmware.com>
      Tested-by: default avatarOleksandr Natalenko <oleksandr@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b13b60e8
    • Marek Szyprowski's avatar
      serial: samsung: fix maxburst parameter for DMA transactions · 6ffaa6e0
      Marek Szyprowski authored
      commit aa2f80e7 upstream.
      
      The best granularity of residue that DMA engine can report is in the BURST
      units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE
      if it relies on exact number of bytes transferred by DMA engine.
      
      Fixes: 62c37eed ("serial: samsung: add dma reqest/release functions")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Acked-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ffaa6e0
    • Paolo Bonzini's avatar
      KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system · 32690810
      Paolo Bonzini authored
      commit ce14e868 upstream.
      
      Int the next patch the emulator's .read_std and .write_std callbacks will
      grow another argument, which is not needed in kvm_read_guest_virt and
      kvm_write_guest_virt_system's callers.  Since we have to make separate
      functions, let's give the currently existing names a nicer interface, too.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32690810
    • Paolo Bonzini's avatar
      KVM: x86: introduce linear_{read,write}_system · 8417244a
      Paolo Bonzini authored
      commit 79367a65 upstream.
      
      Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so
      as to have a smaller patch when the functions grow another argument.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8417244a
    • Linus Torvalds's avatar
      Clarify (and fix) MAX_LFS_FILESIZE macros · 09b20d9a
      Linus Torvalds authored
      commit 0cc3b0ec upstream.
      
      We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
      filesystems (and other IO targets) that know they are 64-bit clean and
      don't have any 32-bit limits in their IO path.
      
      It turns out that our 32-bit value for that limit was bogus.  On 32-bit,
      the VM layer is limited by the page cache to only 32-bit index values,
      but our logic for that was confusing and actually wrong.  We used to
      define that value to
      
      	(((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
      
      which is actually odd in several ways: it limits the index to 31 bits,
      and then it limits files so that they can't have data in that last byte
      of a page that has the highest 31-bit index (ie page index 0x7fffffff).
      
      Neither of those limitations make sense.  The index is actually the full
      32 bit unsigned value, and we can use that whole full page.  So the
      maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".
      
      However, we do wan tto avoid the maximum index, because we have code
      that iterates over the page indexes, and we don't want that code to
      overflow.  So the maximum size of a file on a 32-bit host should
      actually be one page less than the full 32-bit index.
      
      So the actual limit is ULONG_MAX << PAGE_SHIFT.  That means that we will
      not actually be using the page of that last index (ULONG_MAX), but we
      can grow a file up to that limit.
      
      The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
      Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
      volume.  It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
      byte less), but the actual true VM limit is one page less than 16TiB.
      
      This was invisible until commit c2a9737f ("vfs,mm: fix a dead loop
      in truncate_inode_pages_range()"), which started applying that
      MAX_LFS_FILESIZE limit to block devices too.
      
      NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
      actually just the offset type itself (loff_t), which is signed.  But for
      clarity, on 64-bit, just use the maximum signed value, and don't make
      people have to count the number of 'f' characters in the hex constant.
      
      So just use LLONG_MAX for the 64-bit case.  That was what the value had
      been before too, just written out as a hex constant.
      
      Fixes: c2a9737f ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
      Reported-and-tested-by: default avatarDoug Nazar <nazard@nazar.ca>
      Cc: Andreas Dilger <adilger@dilger.ca>
      Cc: Mark Fasheh <mfasheh@versity.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Dave Kleikamp <shaggy@kernel.org>
      Cc: stable@kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Rafael Tinoco <rafael.tinoco@linaro.org>
      [backported to 4.4.y due to requests of failed LTP tests - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09b20d9a
    • Linus Walleij's avatar
      gpio: No NULL owner · c4f78b57
      Linus Walleij authored
      commit 7d18f0a1 upstream.
      
      Sometimes a GPIO is fetched with NULL as parent device, and
      that is just fine. So under these circumstances, avoid using
      dev_name() to provide a name for the GPIO line.
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Cc: Daniel Rosenberg <drosen@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4f78b57