1. 28 Jan, 2020 1 commit
  2. 15 Jan, 2020 4 commits
  3. 08 Jan, 2020 9 commits
  4. 07 Jan, 2020 26 commits
    • Connor Kuehl's avatar
    • Greg Kroah-Hartman's avatar
    • Eric Dumazet's avatar
      tcp: do not send empty skb from tcp_write_xmit() · bd8391c1
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 1f85e626 ]
      
      Backport of commit fdfc5c85 ("tcp: remove empty skb from
      write queue in error cases") in linux-4.14 stable triggered
      various bugs. One of them has been fixed in commit ba2ddb43f270
      ("tcp: Don't dequeue SYN/FIN-segments from write-queue"), but
      we still have crashes in some occasions.
      
      Root-cause is that when tcp_sendmsg() has allocated a fresh
      skb and could not append a fragment before being blocked
      in sk_stream_wait_memory(), tcp_write_xmit() might be called
      and decide to send this fresh and empty skb.
      
      Sending an empty packet is not only silly, it might have caused
      many issues we had in the past with tp->packets_out being
      out of sync.
      
      Fixes: c65f7f00 ("[TCP]: Simplify SKB data portion allocation with NETIF_F_SG.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Christoph Paasch <cpaasch@apple.com>
      Acked-by: default avatarNeal Cardwell <ncardwell@google.com>
      Cc: Jason Baron <jbaron@akamai.com>
      Acked-by: default avatarSoheil Hassas Yeganeh <soheil@google.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      bd8391c1
    • Faiz Abbas's avatar
      mmc: sdhci: Update the tuning failed messages to pr_debug level · e05a6cbb
      Faiz Abbas authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 2c92dd20 ]
      
      Tuning support in DDR50 speed mode was added in SD Specifications Part1
      Physical Layer Specification v3.01. Its not possible to distinguish
      between v3.00 and v3.01 from the SCR and that is why since
      commit 4324f6de ("mmc: core: enable CMD19 tuning for DDR50 mode")
      tuning failures are ignored in DDR50 speed mode.
      
      Cards compatible with v3.00 don't respond to CMD19 in DDR50 and this
      error gets printed during enumeration and also if retune is triggered at
      any time during operation. Update the printk level to pr_debug so that
      these errors don't lead to false error reports.
      Signed-off-by: default avatarFaiz Abbas <faiz_abbas@ti.com>
      Cc: stable@vger.kernel.org # v4.4+
      Link: https://lore.kernel.org/r/20191206114326.15856-1-faiz_abbas@ti.comSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      e05a6cbb
    • Eric Dumazet's avatar
      hrtimer: Annotate lockless access to timer->state · 80bd249a
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 56144737 upstream.
      
      syzbot reported various data-race caused by hrtimer_is_queued() reading
      timer->state. A READ_ONCE() is required there to silence the warning.
      
      Also add the corresponding WRITE_ONCE() when timer->state is set.
      
      In remove_hrtimer() the hrtimer_is_queued() helper is open coded to avoid
      loading timer->state twice.
      
      KCSAN reported these cases:
      
      BUG: KCSAN: data-race in __remove_hrtimer / tcp_pacing_check
      
      write to 0xffff8880b2a7d388 of 1 bytes by interrupt on cpu 0:
       __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
       __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
       __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
       hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
       __do_softirq+0x115/0x33f kernel/softirq.c:292
       run_ksoftirqd+0x46/0x60 kernel/softirq.c:603
       smpboot_thread_fn+0x37d/0x4a0 kernel/smpboot.c:165
       kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      read to 0xffff8880b2a7d388 of 1 bytes by task 24652 on cpu 1:
       tcp_pacing_check net/ipv4/tcp_output.c:2235 [inline]
       tcp_pacing_check+0xba/0x130 net/ipv4/tcp_output.c:2225
       tcp_xmit_retransmit_queue+0x32c/0x5a0 net/ipv4/tcp_output.c:3044
       tcp_xmit_recovery+0x7c/0x120 net/ipv4/tcp_input.c:3558
       tcp_ack+0x17b6/0x3170 net/ipv4/tcp_input.c:3717
       tcp_rcv_established+0x37e/0xf50 net/ipv4/tcp_input.c:5696
       tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
       sk_backlog_rcv include/net/sock.h:945 [inline]
       __release_sock+0x135/0x1e0 net/core/sock.c:2435
       release_sock+0x61/0x160 net/core/sock.c:2951
       sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
       tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
       tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
       inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0x9f/0xc0 net/socket.c:657
      
      BUG: KCSAN: data-race in __remove_hrtimer / __tcp_ack_snd_check
      
      write to 0xffff8880a3a65588 of 1 bytes by interrupt on cpu 0:
       __remove_hrtimer+0x52/0x130 kernel/time/hrtimer.c:991
       __run_hrtimer kernel/time/hrtimer.c:1496 [inline]
       __hrtimer_run_queues+0x250/0x600 kernel/time/hrtimer.c:1576
       hrtimer_run_softirq+0x10e/0x150 kernel/time/hrtimer.c:1593
       __do_softirq+0x115/0x33f kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0xbb/0xe0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0xe6/0x280 arch/x86/kernel/apic/apic.c:1137
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:830
      
      read to 0xffff8880a3a65588 of 1 bytes by task 22891 on cpu 1:
       __tcp_ack_snd_check+0x415/0x4f0 net/ipv4/tcp_input.c:5265
       tcp_ack_snd_check net/ipv4/tcp_input.c:5287 [inline]
       tcp_rcv_established+0x750/0xf50 net/ipv4/tcp_input.c:5708
       tcp_v4_do_rcv+0x381/0x4e0 net/ipv4/tcp_ipv4.c:1561
       sk_backlog_rcv include/net/sock.h:945 [inline]
       __release_sock+0x135/0x1e0 net/core/sock.c:2435
       release_sock+0x61/0x160 net/core/sock.c:2951
       sk_stream_wait_memory+0x3d7/0x7c0 net/core/stream.c:145
       tcp_sendmsg_locked+0xb47/0x1f30 net/ipv4/tcp.c:1393
       tcp_sendmsg+0x39/0x60 net/ipv4/tcp.c:1434
       inet_sendmsg+0x6d/0x90 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0x9f/0xc0 net/socket.c:657
       __sys_sendto+0x21f/0x320 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto net/socket.c:1960 [inline]
       __x64_sys_sendto+0x89/0xb0 net/socket.c:1960
       do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 24652 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      [ tglx: Added comments ]
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Link: https://lkml.kernel.org/r/20191106174804.74723-1-edumazet@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      80bd249a
    • Eric Dumazet's avatar
      net: icmp: fix data-race in cmp_global_allow() · c4920b85
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit bbab7ef2 upstream.
      
      This code reads two global variables without protection
      of a lock. We need READ_ONCE()/WRITE_ONCE() pairs to
      avoid load/store-tearing and better document the intent.
      
      KCSAN reported :
      BUG: KCSAN: data-race in icmp_global_allow / icmp_global_allow
      
      read to 0xffffffff861a8014 of 4 bytes by task 11201 on cpu 0:
       icmp_global_allow+0x36/0x1b0 net/ipv4/icmp.c:254
       icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
       icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
       icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
       icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
       ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
       dst_link_failure include/net/dst.h:419 [inline]
       vti_xmit net/ipv4/ip_vti.c:243 [inline]
       vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
       __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
       netdev_start_xmit include/linux/netdevice.h:4434 [inline]
       xmit_one net/core/dev.c:3280 [inline]
       dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
       __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
       dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
       neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
       neigh_output include/net/neighbour.h:511 [inline]
       ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
       __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
       __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
       ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
       dst_output include/net/dst.h:436 [inline]
       ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
      
      write to 0xffffffff861a8014 of 4 bytes by task 11183 on cpu 1:
       icmp_global_allow+0x174/0x1b0 net/ipv4/icmp.c:272
       icmpv6_global_allow net/ipv6/icmp.c:184 [inline]
       icmpv6_global_allow net/ipv6/icmp.c:179 [inline]
       icmp6_send+0x493/0x1140 net/ipv6/icmp.c:514
       icmpv6_send+0x71/0xb0 net/ipv6/ip6_icmp.c:43
       ip6_link_failure+0x43/0x180 net/ipv6/route.c:2640
       dst_link_failure include/net/dst.h:419 [inline]
       vti_xmit net/ipv4/ip_vti.c:243 [inline]
       vti_tunnel_xmit+0x27f/0xa50 net/ipv4/ip_vti.c:279
       __netdev_start_xmit include/linux/netdevice.h:4420 [inline]
       netdev_start_xmit include/linux/netdevice.h:4434 [inline]
       xmit_one net/core/dev.c:3280 [inline]
       dev_hard_start_xmit+0xef/0x430 net/core/dev.c:3296
       __dev_queue_xmit+0x14c9/0x1b60 net/core/dev.c:3873
       dev_queue_xmit+0x21/0x30 net/core/dev.c:3906
       neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
       neigh_output include/net/neighbour.h:511 [inline]
       ip6_finish_output2+0x7a6/0xec0 net/ipv6/ip6_output.c:116
       __ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
       __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
       ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 1 PID: 11183 Comm: syz-executor.2 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: 4cdf507d ("icmp: add a global rate limitation")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      c4920b85
    • Eric Dumazet's avatar
      netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() · 9293e3c6
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 56042858 upstream.
      
      syzbot is kind enough to remind us we need to call skb_may_pull()
      
      BUG: KMSAN: uninit-value in br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
      CPU: 1 PID: 11631 Comm: syz-executor.1 Not tainted 5.4.0-rc8-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0x128/0x220 mm/kmsan/kmsan_report.c:108
       __msan_warning+0x64/0xc0 mm/kmsan/kmsan_instr.c:245
       br_nf_forward_arp+0xe61/0x1230 net/bridge/br_netfilter_hooks.c:665
       nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline]
       nf_hook_slow+0x18b/0x3f0 net/netfilter/core.c:512
       nf_hook include/linux/netfilter.h:260 [inline]
       NF_HOOK include/linux/netfilter.h:303 [inline]
       __br_forward+0x78f/0xe30 net/bridge/br_forward.c:109
       br_flood+0xef0/0xfe0 net/bridge/br_forward.c:234
       br_handle_frame_finish+0x1a77/0x1c20 net/bridge/br_input.c:162
       nf_hook_bridge_pre net/bridge/br_input.c:245 [inline]
       br_handle_frame+0xfb6/0x1eb0 net/bridge/br_input.c:348
       __netif_receive_skb_core+0x20b9/0x51a0 net/core/dev.c:4830
       __netif_receive_skb_one_core net/core/dev.c:4927 [inline]
       __netif_receive_skb net/core/dev.c:5043 [inline]
       process_backlog+0x610/0x13c0 net/core/dev.c:5874
       napi_poll net/core/dev.c:6311 [inline]
       net_rx_action+0x7a6/0x1aa0 net/core/dev.c:6379
       __do_softirq+0x4a1/0x83a kernel/softirq.c:293
       do_softirq_own_stack+0x49/0x80 arch/x86/entry/entry_64.S:1091
       </IRQ>
       do_softirq kernel/softirq.c:338 [inline]
       __local_bh_enable_ip+0x184/0x1d0 kernel/softirq.c:190
       local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
       rcu_read_unlock_bh include/linux/rcupdate.h:688 [inline]
       __dev_queue_xmit+0x38e8/0x4200 net/core/dev.c:3819
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:3825
       packet_snd net/packet/af_packet.c:2959 [inline]
       packet_sendmsg+0x8234/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45a679
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f0a3c9e5c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 000000000045a679
      RDX: 000000000000000e RSI: 0000000020000200 RDI: 0000000000000003
      RBP: 000000000075bf20 R08: 00000000200000c0 R09: 0000000000000014
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f0a3c9e66d4
      R13: 00000000004c8ec1 R14: 00000000004dfe28 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:149 [inline]
       kmsan_internal_poison_shadow+0x5c/0x110 mm/kmsan/kmsan.c:132
       kmsan_slab_alloc+0x97/0x100 mm/kmsan/kmsan_hooks.c:86
       slab_alloc_node mm/slub.c:2773 [inline]
       __kmalloc_node_track_caller+0xe27/0x11a0 mm/slub.c:4381
       __kmalloc_reserve net/core/skbuff.c:141 [inline]
       __alloc_skb+0x306/0xa10 net/core/skbuff.c:209
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x18c/0xa80 net/core/skbuff.c:5662
       sock_alloc_send_pskb+0xafd/0x10a0 net/core/sock.c:2244
       packet_alloc_skb net/packet/af_packet.c:2807 [inline]
       packet_snd net/packet/af_packet.c:2902 [inline]
       packet_sendmsg+0x63a6/0x9100 net/packet/af_packet.c:2984
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg net/socket.c:657 [inline]
       __sys_sendto+0xc44/0xc70 net/socket.c:1952
       __do_sys_sendto net/socket.c:1964 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:1960
       __x64_sys_sendto+0x6e/0x90 net/socket.c:1960
       do_syscall_64+0xb6/0x160 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c4e70a87 ("netfilter: bridge: rename br_netfilter.c to br_netfilter_hooks.c")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      9293e3c6
    • Eric Dumazet's avatar
      6pack,mkiss: fix possible deadlock · 677d32a1
      Eric Dumazet authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 5c9934b6 upstream.
      
      We got another syzbot report [1] that tells us we must use
      write_lock_irq()/write_unlock_irq() to avoid possible deadlock.
      
      [1]
      
      WARNING: inconsistent lock state
      5.5.0-rc1-syzkaller #0 Not tainted
      --------------------------------
      inconsistent {HARDIRQ-ON-W} -> {IN-HARDIRQ-R} usage.
      syz-executor826/9605 [HC1[1]:SC0[0]:HE0:SE1] takes:
      ffffffff8a128718 (disc_data_lock){+-..}, at: sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
      {HARDIRQ-ON-W} state was registered at:
        lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
        __raw_write_lock_bh include/linux/rwlock_api_smp.h:203 [inline]
        _raw_write_lock_bh+0x33/0x50 kernel/locking/spinlock.c:319
        sixpack_close+0x1d/0x250 drivers/net/hamradio/6pack.c:657
        tty_ldisc_close.isra.0+0x119/0x1a0 drivers/tty/tty_ldisc.c:489
        tty_set_ldisc+0x230/0x6b0 drivers/tty/tty_ldisc.c:585
        tiocsetd drivers/tty/tty_io.c:2337 [inline]
        tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2597
        vfs_ioctl fs/ioctl.c:47 [inline]
        file_ioctl fs/ioctl.c:545 [inline]
        do_vfs_ioctl+0x977/0x14e0 fs/ioctl.c:732
        ksys_ioctl+0xab/0xd0 fs/ioctl.c:749
        __do_sys_ioctl fs/ioctl.c:756 [inline]
        __se_sys_ioctl fs/ioctl.c:754 [inline]
        __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:754
        do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      irq event stamp: 3946
      hardirqs last  enabled at (3945): [<ffffffff87c86e43>] __raw_spin_unlock_irq include/linux/spinlock_api_smp.h:168 [inline]
      hardirqs last  enabled at (3945): [<ffffffff87c86e43>] _raw_spin_unlock_irq+0x23/0x80 kernel/locking/spinlock.c:199
      hardirqs last disabled at (3946): [<ffffffff8100675f>] trace_hardirqs_off_thunk+0x1a/0x1c arch/x86/entry/thunk_64.S:42
      softirqs last  enabled at (2658): [<ffffffff86a8b4df>] spin_unlock_bh include/linux/spinlock.h:383 [inline]
      softirqs last  enabled at (2658): [<ffffffff86a8b4df>] clusterip_netdev_event+0x46f/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:222
      softirqs last disabled at (2656): [<ffffffff86a8b22b>] spin_lock_bh include/linux/spinlock.h:343 [inline]
      softirqs last disabled at (2656): [<ffffffff86a8b22b>] clusterip_netdev_event+0x1bb/0x670 net/ipv4/netfilter/ipt_CLUSTERIP.c:196
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(disc_data_lock);
        <Interrupt>
          lock(disc_data_lock);
      
       *** DEADLOCK ***
      
      5 locks held by syz-executor826/9605:
       #0: ffff8880a905e198 (&tty->legacy_mutex){+.+.}, at: tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
       #1: ffffffff899a56c0 (rcu_read_lock){....}, at: mutex_spin_on_owner+0x0/0x330 kernel/locking/mutex.c:413
       #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
       #2: ffff8880a496a2b0 (&(&i->lock)->rlock){-.-.}, at: serial8250_interrupt+0x2d/0x1a0 drivers/tty/serial/8250/8250_core.c:116
       #3: ffffffff8c104048 (&port_lock_key){-.-.}, at: serial8250_handle_irq.part.0+0x24/0x330 drivers/tty/serial/8250/8250_port.c:1823
       #4: ffff8880a905e090 (&tty->ldisc_sem){++++}, at: tty_ldisc_ref+0x22/0x90 drivers/tty/tty_ldisc.c:288
      
      stack backtrace:
      CPU: 1 PID: 9605 Comm: syz-executor826 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_usage_bug.cold+0x327/0x378 kernel/locking/lockdep.c:3101
       valid_state kernel/locking/lockdep.c:3112 [inline]
       mark_lock_irq kernel/locking/lockdep.c:3309 [inline]
       mark_lock+0xbb4/0x1220 kernel/locking/lockdep.c:3666
       mark_usage kernel/locking/lockdep.c:3554 [inline]
       __lock_acquire+0x1e55/0x4a00 kernel/locking/lockdep.c:3909
       lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
       __raw_read_lock include/linux/rwlock_api_smp.h:149 [inline]
       _raw_read_lock+0x32/0x50 kernel/locking/spinlock.c:223
       sp_get.isra.0+0x1d/0xf0 drivers/net/ppp/ppp_synctty.c:138
       sixpack_write_wakeup+0x25/0x340 drivers/net/hamradio/6pack.c:402
       tty_wakeup+0xe9/0x120 drivers/tty/tty_io.c:536
       tty_port_default_wakeup+0x2b/0x40 drivers/tty/tty_port.c:50
       tty_port_tty_wakeup+0x57/0x70 drivers/tty/tty_port.c:387
       uart_write_wakeup+0x46/0x70 drivers/tty/serial/serial_core.c:104
       serial8250_tx_chars+0x495/0xaf0 drivers/tty/serial/8250/8250_port.c:1761
       serial8250_handle_irq.part.0+0x2a2/0x330 drivers/tty/serial/8250/8250_port.c:1834
       serial8250_handle_irq drivers/tty/serial/8250/8250_port.c:1820 [inline]
       serial8250_default_handle_irq+0xc0/0x150 drivers/tty/serial/8250/8250_port.c:1850
       serial8250_interrupt+0xf1/0x1a0 drivers/tty/serial/8250/8250_core.c:126
       __handle_irq_event_percpu+0x15d/0x970 kernel/irq/handle.c:149
       handle_irq_event_percpu+0x74/0x160 kernel/irq/handle.c:189
       handle_irq_event+0xa7/0x134 kernel/irq/handle.c:206
       handle_edge_irq+0x25e/0x8d0 kernel/irq/chip.c:830
       generic_handle_irq_desc include/linux/irqdesc.h:156 [inline]
       do_IRQ+0xde/0x280 arch/x86/kernel/irq.c:250
       common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:607
       </IRQ>
      RIP: 0010:cpu_relax arch/x86/include/asm/processor.h:685 [inline]
      RIP: 0010:mutex_spin_on_owner+0x247/0x330 kernel/locking/mutex.c:579
      Code: c3 be 08 00 00 00 4c 89 e7 e8 e5 06 59 00 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 0f 85 e1 00 00 00 49 8b 04 24 a8 01 75 96 f3 90 <e9> 2f fe ff ff 0f 0b e8 0d 19 09 00 84 c0 0f 85 ff fd ff ff 48 c7
      RSP: 0018:ffffc90001eafa20 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffd7
      RAX: 0000000000000000 RBX: ffff88809fd9e0c0 RCX: 1ffffffff13266dd
      RDX: 0000000000000000 RSI: 0000000000000008 RDI: 0000000000000000
      RBP: ffffc90001eafa60 R08: 1ffff11013d22898 R09: ffffed1013d22899
      R10: ffffed1013d22898 R11: ffff88809e9144c7 R12: ffff8880a905e138
      R13: ffff88809e9144c0 R14: 0000000000000000 R15: dffffc0000000000
       mutex_optimistic_spin kernel/locking/mutex.c:673 [inline]
       __mutex_lock_common kernel/locking/mutex.c:962 [inline]
       __mutex_lock+0x32b/0x13c0 kernel/locking/mutex.c:1106
       mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1121
       tty_lock+0xc7/0x130 drivers/tty/tty_mutex.c:19
       tty_release+0xb5/0xe90 drivers/tty/tty_io.c:1665
       __fput+0x2ff/0x890 fs/file_table.c:280
       ____fput+0x16/0x20 fs/file_table.c:313
       task_work_run+0x145/0x1c0 kernel/task_work.c:113
       exit_task_work include/linux/task_work.h:22 [inline]
       do_exit+0x8e7/0x2ef0 kernel/exit.c:797
       do_group_exit+0x135/0x360 kernel/exit.c:895
       __do_sys_exit_group kernel/exit.c:906 [inline]
       __se_sys_exit_group kernel/exit.c:904 [inline]
       __x64_sys_exit_group+0x44/0x50 kernel/exit.c:904
       do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x43fef8
      Code: Bad RIP value.
      RSP: 002b:00007ffdb07d2338 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000000043fef8
      RDX: 0000000000000000 RSI: 000000000000003c RDI: 0000000000000000
      RBP: 00000000004bf730 R08: 00000000000000e7 R09: ffffffffffffffd0
      R10: 00000000004002c8 R11: 0000000000000246 R12: 0000000000000001
      R13: 00000000006d1180 R14: 0000000000000000 R15: 0000000000000000
      
      Fixes: 6e4e2f81 ("6pack,mkiss: fix lock inconsistency")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      677d32a1
    • Florian Westphal's avatar
      netfilter: ebtables: compat: reject all padding in matches/watchers · a57c90ca
      Florian Westphal authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit e608f631 upstream.
      
      syzbot reported following splat:
      
      BUG: KASAN: vmalloc-out-of-bounds in size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
      BUG: KASAN: vmalloc-out-of-bounds in compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
      Read of size 4 at addr ffffc900004461f4 by task syz-executor267/7937
      
      CPU: 1 PID: 7937 Comm: syz-executor267 Not tainted 5.5.0-rc1-syzkaller #0
       size_entry_mwt net/bridge/netfilter/ebtables.c:2063 [inline]
       compat_copy_entries+0x128b/0x1380 net/bridge/netfilter/ebtables.c:2155
       compat_do_replace+0x344/0x720 net/bridge/netfilter/ebtables.c:2249
       compat_do_ebt_set_ctl+0x22f/0x27e net/bridge/netfilter/ebtables.c:2333
       [..]
      
      Because padding isn't considered during computation of ->buf_user_offset,
      "total" is decremented by fewer bytes than it should.
      
      Therefore, the first part of
      
      if (*total < sizeof(*entry) || entry->next_offset < sizeof(*entry))
      
      will pass, -- it should not have.  This causes oob access:
      entry->next_offset is past the vmalloced size.
      
      Reject padding and check that computed user offset (sum of ebt_entry
      structure plus all individual matches/watchers/targets) is same
      value that userspace gave us as the offset of the next entry.
      
      Reported-by: syzbot+f68108fed972453a0ad4@syzkaller.appspotmail.com
      Fixes: 81e675c2 ("netfilter: ebtables: add CONFIG_COMPAT support")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      a57c90ca
    • Arnd Bergmann's avatar
      net: davinci_cpdma: use dma_addr_t for DMA address · 3fa29534
      Arnd Bergmann authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 84092996 upstream.
      
      The davinci_cpdma mixes up physical addresses as seen from the CPU
      and DMA addresses as seen from a DMA master, since it can operate
      on both normal memory or an on-chip buffer. If dma_addr_t is
      different from phys_addr_t, this means we get a compile-time warning
      about the type mismatch:
      
      ethernet/ti/davinci_cpdma.c: In function 'cpdma_desc_pool_create':
      ethernet/ti/davinci_cpdma.c:182:48: error: passing argument 3 of 'dma_alloc_coherent' from incompatible pointer type [-Werror=incompatible-pointer-types]
         pool->cpumap = dma_alloc_coherent(dev, size, &pool->phys,
      In file included from ethernet/ti/davinci_cpdma.c:21:0:
      dma-mapping.h:398:21: note: expected 'dma_addr_t * {aka long long unsigned int *}' but argument is of type 'phys_addr_t * {aka unsigned int *}'
       static inline void *dma_alloc_coherent(struct device *dev, size_t size,
      
      This slightly restructures the code so the address we use for
      mapping RAM into a DMA address is always a dma_addr_t, avoiding
      the warning. The code is correct even if both types are 32-bit
      because the DMA master in this device only supports 32-bit addressing
      anyway, independent of the types that are used.
      
      We still assign this value to pool->phys, and that is wrong if
      the driver is ever used with an IOMMU, but that value appears to
      be never used, so there is no problem really. I've added a couple
      of comments about where we do things that are slightly violating
      the API.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarDaniel Wagner <dwagner@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      3fa29534
    • Linus Torvalds's avatar
      filldir[64]: remove WARN_ON_ONCE() for bad directory entries · c3f42106
      Linus Torvalds authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit b9959c7a upstream.
      
      This was always meant to be a temporary thing, just for testing and to
      see if it actually ever triggered.
      
      The only thing that reported it was syzbot doing disk image fuzzing, and
      then that warning is expected.  So let's just remove it before -rc4,
      because the extra sanity testing should probably go to -stable, but we
      don't want the warning to do so.
      
      Reported-by: syzbot+3031f712c7ad5dd4d926@syzkaller.appspotmail.com
      Fixes: 8a23eb80 ("Make filldir[64]() verify the directory entry filename is valid")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSiddharth Chandrasekaran <csiddharth@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      c3f42106
    • Linus Torvalds's avatar
      Make filldir[64]() verify the directory entry filename is valid · 07c9dfce
      Linus Torvalds authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      commit 8a23eb80 upstream.
      
      This has been discussed several times, and now filesystem people are
      talking about doing it individually at the filesystem layer, so head
      that off at the pass and just do it in getdents{64}().
      
      This is partially based on a patch by Jann Horn, but checks for NUL
      bytes as well, and somewhat simplified.
      
      There's also commentary about how it might be better if invalid names
      due to filesystem corruption don't cause an immediate failure, but only
      an error at the end of the readdir(), so that people can still see the
      filenames that are ok.
      
      There's also been discussion about just how much POSIX strictly speaking
      requires this since it's about filesystem corruption.  It's really more
      "protect user space from bad behavior" as pointed out by Jann.  But
      since Eric Biederman looked up the POSIX wording, here it is for context:
      
       "From readdir:
      
         The readdir() function shall return a pointer to a structure
         representing the directory entry at the current position in the
         directory stream specified by the argument dirp, and position the
         directory stream at the next entry. It shall return a null pointer
         upon reaching the end of the directory stream. The structure dirent
         defined in the <dirent.h> header describes a directory entry.
      
        From definitions:
      
         3.129 Directory Entry (or Link)
      
         An object that associates a filename with a file. Several directory
         entries can associate names with the same file.
      
        ...
      
         3.169 Filename
      
         A name consisting of 1 to {NAME_MAX} bytes used to name a file. The
         characters composing the name may be selected from the set of all
         character values excluding the slash character and the null byte. The
         filenames dot and dot-dot have special meaning. A filename is
         sometimes referred to as a 'pathname component'."
      
      Note that I didn't bother adding the checks to any legacy interfaces
      that nobody uses.
      
      Also note that if this ends up being noticeable as a performance
      regression, we can fix that to do a much more optimized model that
      checks for both NUL and '/' at the same time one word at a time.
      
      We haven't really tended to optimize 'memchr()', and it only checks for
      one pattern at a time anyway, and we really _should_ check for NUL too
      (but see the comment about "soft errors" in the code about why it
      currently only checks for '/')
      
      See the CONFIG_DCACHE_WORD_ACCESS case of hash_name() for how the name
      lookup code looks for pathname terminating characters in parallel.
      
      Link: https://lore.kernel.org/lkml/20190118161440.220134-2-jannh@google.com/
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Jann Horn <jannh@google.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSiddharth Chandrasekaran <csiddharth@vmware.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      07c9dfce
    • Takashi Iwai's avatar
      ALSA: hda - Downgrade error message for single-cmd fallback · a4007f40
      Takashi Iwai authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 475feec0 ]
      
      We made the error message for the CORB/RIRB communication clearer by
      upgrading to dev_WARN() so that user can notice better.  But this
      struck us like a boomerang: now it caught syzbot and reported back as
      a fatal issue although it's not really any too serious bug that worth
      for stopping the whole system.
      
      OK, OK, let's be softy, downgrade it to the standard dev_err() again.
      
      Fixes: dd65f7e1 ("ALSA: hda - Show the fatal CORB/RIRB error more clearly")
      Reported-by: syzbot+b3028ac3933f5c466389@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/r/20191216151224.30013-1-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      a4007f40
    • Johannes Weiner's avatar
      kernel: sysctl: make drop_caches write-only · d2cec9de
      Johannes Weiner authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 204cb79a ]
      
      Currently, the drop_caches proc file and sysctl read back the last value
      written, suggesting this is somehow a stateful setting instead of a
      one-time command.  Make it write-only, like e.g.  compact_memory.
      
      While mitigating a VM problem at scale in our fleet, there was confusion
      about whether writing to this file will permanently switch the kernel into
      a non-caching mode.  This influences the decision making in a tense
      situation, where tens of people are trying to fix tens of thousands of
      affected machines: Do we need a rollback strategy?  What are the
      performance implications of operating in a non-caching state for several
      days?  It also caused confusion when the kernel team said we may need to
      write the file several times to make sure it's effective ("But it already
      reads back 3?").
      
      Link: http://lkml.kernel.org/r/20191031221602.9375-1-hannes@cmpxchg.orgSigned-off-by: default avatarJohannes Weiner <hannes@cmpxchg.org>
      Acked-by: default avatarChris Down <chris@chrisdown.name>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Acked-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarAlexey Dobriyan <adobriyan@gmail.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      d2cec9de
    • Ding Xiang's avatar
      ocfs2: fix passing zero to 'PTR_ERR' warning · f404d73e
      Ding Xiang authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 188c523e ]
      
      Fix a static code checker warning:
      fs/ocfs2/acl.c:331
      	ocfs2_acl_chmod() warn: passing zero to 'PTR_ERR'
      
      Link: http://lkml.kernel.org/r/1dee278b-6c96-eec2-ce76-fe6e07c6e20f@linux.alibaba.com
      Fixes: 5ee0fbd5 ("ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang")
      Signed-off-by: default avatarDing Xiang <dingxiang@cmss.chinamobile.com>
      Reviewed-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      f404d73e
    • Thomas Richter's avatar
      s390/cpum_sf: Check for SDBT and SDB consistency · a06124a3
      Thomas Richter authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 247f265f ]
      
      Each SBDT is located at a 4KB page and contains 512 entries.
      Each entry of a SDBT points to a SDB, a 4KB page containing
      sampled data. The last entry is a link to another SDBT page.
      
      When an event is created the function sequence executed is:
      
        __hw_perf_event_init()
        +--> allocate_buffers()
             +--> realloc_sampling_buffers()
      	    +---> alloc_sample_data_block()
      
      Both functions realloc_sampling_buffers() and
      alloc_sample_data_block() allocate pages and the allocation
      can fail. This is handled correctly and all allocated
      pages are freed and error -ENOMEM is returned to the
      top calling function. Finally the event is not created.
      
      Once the event has been created, the amount of initially
      allocated SDBT and SDB can be too low. This is detected
      during measurement interrupt handling, where the amount
      of lost samples is calculated. If the number of lost samples
      is too high considering sampling frequency and already allocated
      SBDs, the number of SDBs is enlarged during the next execution
      of cpumsf_pmu_enable().
      
      If more SBDs need to be allocated, functions
      
             realloc_sampling_buffers()
             +---> alloc-sample_data_block()
      
      are called to allocate more pages. Page allocation may fail
      and the returned error is ignored. A SDBT and SDB setup
      already exists.
      
      However the modified SDBTs and SDBs might end up in a situation
      where the first entry of an SDBT does not point to an SDB,
      but another SDBT, basicly an SBDT without payload.
      This can not be handled by the interrupt handler, where an SDBT
      must have at least one entry pointing to an SBD.
      
      Add a check to avoid SDBTs with out payload (SDBs) when enlarging
      the buffer setup.
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Signed-off-by: default avatarVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      a06124a3
    • Masahiro Yamada's avatar
      libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h · 25f569b8
      Masahiro Yamada authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit a8de1304 ]
      
      The DTC v1.5.1 added references to (U)INT32_MAX.
      
      This is no problem for user-space programs since <stdint.h> defines
      (U)INT32_MAX along with (u)int32_t.
      
      For the kernel space, libfdt_env.h needs to be adjusted before we
      pull in the changes.
      
      In the kernel, we usually use s/u32 instead of (u)int32_t for the
      fixed-width types.
      
      Accordingly, we already have S/U32_MAX for their max values.
      So, we should not add (U)INT32_MAX to <linux/limits.h> any more.
      
      Instead, add them to the in-kernel libfdt_env.h to compile the
      latest libfdt.
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      25f569b8
    • Arnaldo Carvalho de Melo's avatar
      perf regs: Make perf_reg_name() return "unknown" instead of NULL · 680edd12
      Arnaldo Carvalho de Melo authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 5b596e0f ]
      
      To avoid breaking the build on arches where this is not wired up, at
      least all the other features should be made available and when using
      this specific routine, the "unknown" should point the user/developer to
      the need to wire this up on this particular hardware architecture.
      
      Detected in a container mipsel debian cross build environment, where it
      shows up as:
      
        In file included from /usr/mipsel-linux-gnu/include/stdio.h:867,
                         from /git/linux/tools/perf/lib/include/perf/cpumap.h:6,
                         from util/session.c:13:
        In function 'printf',
            inlined from 'regs_dump__printf' at util/session.c:1103:3,
            inlined from 'regs__printf' at util/session.c:1131:2:
        /usr/mipsel-linux-gnu/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
          107 |   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
              |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      cross compiler details:
      
        mipsel-linux-gnu-gcc (Debian 9.2.1-8) 9.2.1 20190909
      
      Also on mips64:
      
        In file included from /usr/mips64-linux-gnuabi64/include/stdio.h:867,
                         from /git/linux/tools/perf/lib/include/perf/cpumap.h:6,
                         from util/session.c:13:
        In function 'printf',
            inlined from 'regs_dump__printf' at util/session.c:1103:3,
            inlined from 'regs__printf' at util/session.c:1131:2,
            inlined from 'regs_user__printf' at util/session.c:1139:3,
            inlined from 'dump_sample' at util/session.c:1246:3,
            inlined from 'machines__deliver_event' at util/session.c:1421:3:
        /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
          107 |   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
              |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        In function 'printf',
            inlined from 'regs_dump__printf' at util/session.c:1103:3,
            inlined from 'regs__printf' at util/session.c:1131:2,
            inlined from 'regs_intr__printf' at util/session.c:1147:3,
            inlined from 'dump_sample' at util/session.c:1249:3,
            inlined from 'machines__deliver_event' at util/session.c:1421:3:
        /usr/mips64-linux-gnuabi64/include/bits/stdio2.h:107:10: error: '%-5s' directive argument is null [-Werror=format-overflow=]
          107 |   return __printf_chk (__USE_FORTIFY_LEVEL - 1, __fmt, __va_arg_pack ());
              |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      
      cross compiler details:
      
        mips64-linux-gnuabi64-gcc (Debian 9.2.1-8) 9.2.1 20190909
      
      Fixes: 2bcd355b ("perf tools: Add interface to arch registers sets")
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Link: https://lkml.kernel.org/n/tip-95wjyv4o65nuaeweq31t7l1s@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      680edd12
    • Diego Elio Pettenò's avatar
      cdrom: respect device capabilities during opening action · 86f47a23
      Diego Elio Pettenò authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 366ba7c7 ]
      
      Reading the TOC only works if the device can play audio, otherwise
      these commands fail (and possibly bring the device to an unhealthy
      state.)
      
      Similarly, cdrom_mmc3_profile() should only be called if the device
      supports generic packet commands.
      
      To: Jens Axboe <axboe@kernel.dk>
      Cc: linux-kernel@vger.kernel.org
      Cc: linux-scsi@vger.kernel.org
      Signed-off-by: default avatarDiego Elio Pettenò <flameeyes@flameeyes.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      86f47a23
    • Masahiro Yamada's avatar
      scripts/kallsyms: fix definitely-lost memory leak · 020a7e99
      Masahiro Yamada authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 21915eca ]
      
      build_initial_tok_table() overwrites unused sym_entry to shrink the
      table size. Before the entry is overwritten, table[i].sym must be freed
      since it is malloc'ed data.
      
      This fixes the 'definitely lost' report from valgrind. I ran valgrind
      against x86_64_defconfig of v5.4-rc8 kernel, and here is the summary:
      
      [Before the fix]
      
        LEAK SUMMARY:
           definitely lost: 53,184 bytes in 2,874 blocks
      
      [After the fix]
      
        LEAK SUMMARY:
           definitely lost: 0 bytes in 0 blocks
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      020a7e99
    • Vladimir Oltean's avatar
      gpio: mpc8xxx: Don't overwrite default irq_set_type callback · e7525465
      Vladimir Oltean authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 4e50573f ]
      
      The per-SoC devtype structures can contain their own callbacks that
      overwrite mpc8xxx_gpio_devtype_default.
      
      The clear intention is that mpc8xxx_irq_set_type is used in case the SoC
      does not specify a more specific callback. But what happens is that if
      the SoC doesn't specify one, its .irq_set_type is de-facto NULL, and
      this overwrites mpc8xxx_irq_set_type to a no-op. This means that the
      following SoCs are affected:
      
      - fsl,mpc8572-gpio
      - fsl,ls1028a-gpio
      - fsl,ls1088a-gpio
      
      On these boards, the irq_set_type does exactly nothing, and the GPIO
      controller keeps its GPICR register in the hardware-default state. On
      the LS1028A, that is ACTIVE_BOTH, which means 2 interrupts are raised
      even if the IRQ client requests LEVEL_HIGH. Another implication is that
      the IRQs are not checked (e.g. level-triggered interrupts are not
      rejected, although they are not supported).
      
      Fixes: 82e39b0d ("gpio: mpc8xxx: handle differences between incarnations at a single place")
      Signed-off-by: default avatarVladimir Oltean <vladimir.oltean@nxp.com>
      Link: https://lore.kernel.org/r/20191115125551.31061-1-olteanv@gmail.comTested-by: default avatarMichael Walle <michael@walle.cc>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      e7525465
    • Bart Van Assche's avatar
      scsi: target: iscsi: Wait for all commands to finish before freeing a session · bf3a2dfd
      Bart Van Assche authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit e9d3009c ]
      
      The iSCSI target driver is the only target driver that does not wait for
      ongoing commands to finish before freeing a session. Make the iSCSI target
      driver wait for ongoing commands to finish before freeing a session. This
      patch fixes the following KASAN complaint:
      
      BUG: KASAN: use-after-free in __lock_acquire+0xb1a/0x2710
      Read of size 8 at addr ffff8881154eca70 by task kworker/0:2/247
      
      CPU: 0 PID: 247 Comm: kworker/0:2 Not tainted 5.4.0-rc1-dbg+ #6
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
      Workqueue: target_completion target_complete_ok_work [target_core_mod]
      Call Trace:
       dump_stack+0x8a/0xd6
       print_address_description.constprop.0+0x40/0x60
       __kasan_report.cold+0x1b/0x33
       kasan_report+0x16/0x20
       __asan_load8+0x58/0x90
       __lock_acquire+0xb1a/0x2710
       lock_acquire+0xd3/0x200
       _raw_spin_lock_irqsave+0x43/0x60
       target_release_cmd_kref+0x162/0x7f0 [target_core_mod]
       target_put_sess_cmd+0x2e/0x40 [target_core_mod]
       lio_check_stop_free+0x12/0x20 [iscsi_target_mod]
       transport_cmd_check_stop_to_fabric+0xd8/0xe0 [target_core_mod]
       target_complete_ok_work+0x1b0/0x790 [target_core_mod]
       process_one_work+0x549/0xa40
       worker_thread+0x7a/0x5d0
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      Allocated by task 889:
       save_stack+0x23/0x90
       __kasan_kmalloc.constprop.0+0xcf/0xe0
       kasan_slab_alloc+0x12/0x20
       kmem_cache_alloc+0xf6/0x360
       transport_alloc_session+0x29/0x80 [target_core_mod]
       iscsi_target_login_thread+0xcd6/0x18f0 [iscsi_target_mod]
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      Freed by task 1025:
       save_stack+0x23/0x90
       __kasan_slab_free+0x13a/0x190
       kasan_slab_free+0x12/0x20
       kmem_cache_free+0x146/0x400
       transport_free_session+0x179/0x2f0 [target_core_mod]
       transport_deregister_session+0x130/0x180 [target_core_mod]
       iscsit_close_session+0x12c/0x350 [iscsi_target_mod]
       iscsit_logout_post_handler+0x136/0x380 [iscsi_target_mod]
       iscsit_response_queue+0x8de/0xbe0 [iscsi_target_mod]
       iscsi_target_tx_thread+0x27f/0x370 [iscsi_target_mod]
       kthread+0x1bc/0x210
       ret_from_fork+0x24/0x30
      
      The buggy address belongs to the object at ffff8881154ec9c0
       which belongs to the cache se_sess_cache of size 352
      The buggy address is located 176 bytes inside of
       352-byte region [ffff8881154ec9c0, ffff8881154ecb20)
      The buggy address belongs to the page:
      page:ffffea0004553b00 refcount:1 mapcount:0 mapping:ffff888101755400 index:0x0 compound_mapcount: 0
      flags: 0x2fff000000010200(slab|head)
      raw: 2fff000000010200 dead000000000100 dead000000000122 ffff888101755400
      raw: 0000000000000000 0000000080130013 00000001ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8881154ec900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
       ffff8881154ec980: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
      >ffff8881154eca00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                   ^
       ffff8881154eca80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff8881154ecb00: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
      
      Cc: Mike Christie <mchristi@redhat.com>
      Link: https://lore.kernel.org/r/20191113220508.198257-3-bvanassche@acm.orgReviewed-by: default avatarRoman Bolshakov <r.bolshakov@yadro.com>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      bf3a2dfd
    • peter chang's avatar
      scsi: pm80xx: Fix for SATA device discovery · f8e5b475
      peter chang authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit ce21c63e ]
      
      Driver was missing complete() call in mpi_sata_completion which result in
      SATA abort error handling timing out. That causes the device to be left in
      the in_recovery state so subsequent commands sent to the device fail and
      the OS removes access to it.
      
      Link: https://lore.kernel.org/r/20191114100910.6153-2-deepak.ukey@microchip.comAcked-by: default avatarJack Wang <jinpu.wang@cloud.ionos.com>
      Signed-off-by: default avatarpeter chang <dpf@google.com>
      Signed-off-by: default avatarDeepak Ukey <deepak.ukey@microchip.com>
      Signed-off-by: default avatarViswas G <Viswas.G@microchip.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      f8e5b475
    • Theodore Ts'o's avatar
      ext4: work around deleting a file with i_nlink == 0 safely · 08906a5e
      Theodore Ts'o authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit c7df4a1e ]
      
      If the file system is corrupted such that a file's i_links_count is
      too small, then it's possible that when unlinking that file, i_nlink
      will already be zero.  Previously we were working around this kind of
      corruption by forcing i_nlink to one; but we were doing this before
      trying to delete the directory entry --- and if the file system is
      corrupted enough that ext4_delete_entry() fails, then we exit with
      i_nlink elevated, and this causes the orphan inode list handling to be
      FUBAR'ed, such that when we unmount the file system, the orphan inode
      list can get corrupted.
      
      A better way to fix this is to simply skip trying to call drop_nlink()
      if i_nlink is already zero, thus moving the check to the place where
      it makes the most sense.
      
      https://bugzilla.kernel.org/show_bug.cgi?id=205433
      
      Link: https://lore.kernel.org/r/20191112032903.8828-1-tytso@mit.eduSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Reviewed-by: default avatarAndreas Dilger <adilger@dilger.ca>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      08906a5e
    • Blaž Hrastnik's avatar
      HID: Improve Windows Precision Touchpad detection. · 73372a21
      Blaž Hrastnik authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 2dbc6f11 ]
      
      Per Microsoft spec, usage 0xC5 (page 0xFF) returns a blob containing
      data used to verify the touchpad as a Windows Precision Touchpad.
      
         0x85, REPORTID_PTPHQA,    //    REPORT_ID (PTPHQA)
          0x09, 0xC5,              //    USAGE (Vendor Usage 0xC5)
          0x15, 0x00,              //    LOGICAL_MINIMUM (0)
          0x26, 0xff, 0x00,        //    LOGICAL_MAXIMUM (0xff)
          0x75, 0x08,              //    REPORT_SIZE (8)
          0x96, 0x00, 0x01,        //    REPORT_COUNT (0x100 (256))
          0xb1, 0x02,              //    FEATURE (Data,Var,Abs)
      
      However, some devices, namely Microsoft's Surface line of products
      instead implement a "segmented device certification report" (usage 0xC6)
      which returns the same report, but in smaller chunks.
      
          0x06, 0x00, 0xff,        //     USAGE_PAGE (Vendor Defined)
          0x85, REPORTID_PTPHQA,   //     REPORT_ID (PTPHQA)
          0x09, 0xC6,              //     USAGE (Vendor usage for segment #)
          0x25, 0x08,              //     LOGICAL_MAXIMUM (8)
          0x75, 0x08,              //     REPORT_SIZE (8)
          0x95, 0x01,              //     REPORT_COUNT (1)
          0xb1, 0x02,              //     FEATURE (Data,Var,Abs)
          0x09, 0xC7,              //     USAGE (Vendor Usage)
          0x26, 0xff, 0x00,        //     LOGICAL_MAXIMUM (0xff)
          0x95, 0x20,              //     REPORT_COUNT (32)
          0xb1, 0x02,              //     FEATURE (Data,Var,Abs)
      
      By expanding Win8 touchpad detection to also look for the segmented
      report, all Surface touchpads are now properly recognized by
      hid-multitouch.
      Signed-off-by: default avatarBlaž Hrastnik <blaz@mxxn.io>
      Signed-off-by: default avatarBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      73372a21
    • Coly Li's avatar
      bcache: at least try to shrink 1 node in bch_mca_scan() · 14cf523c
      Coly Li authored
      BugLink: https://bugs.launchpad.net/bugs/1858462
      
      [ Upstream commit 9fcc34b1 ]
      
      In bch_mca_scan(), the number of shrinking btree node is calculated
      by code like this,
      	unsigned long nr = sc->nr_to_scan;
      
              nr /= c->btree_pages;
              nr = min_t(unsigned long, nr, mca_can_free(c));
      variable sc->nr_to_scan is number of objects (here is bcache B+tree
      nodes' number) to shrink, and pointer variable sc is sent from memory
      management code as parametr of a callback.
      
      If sc->nr_to_scan is smaller than c->btree_pages, after the above
      calculation, variable 'nr' will be 0 and nothing will be shrunk. It is
      frequeently observed that only 1 or 2 is set to sc->nr_to_scan and make
      nr to be zero. Then bch_mca_scan() will do nothing more then acquiring
      and releasing mutex c->bucket_lock.
      
      This patch checkes whether nr is 0 after the above calculation, if 0
      is the result then set 1 to variable 'n'. Then at least bch_mca_scan()
      will try to shrink a single B+tree node.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      Signed-off-by: default avatarConnor Kuehl <connor.kuehl@canonical.com>
      Signed-off-by: default avatarKleber Sacilotto de Souza <kleber.souza@canonical.com>
      14cf523c