1. 12 Nov, 2019 40 commits
    • Davide Caratti's avatar
      ipvs: don't ignore errors in case refcounting ip_vs module fails · 102f4078
      Davide Caratti authored
      [ Upstream commit 62931f59 ]
      
      if the IPVS module is removed while the sync daemon is starting, there is
      a small gap where try_module_get() might fail getting the refcount inside
      ip_vs_use_count_inc(). Then, the refcounts of IPVS module are unbalanced,
      and the subsequent call to stop_sync_thread() causes the following splat:
      
       WARNING: CPU: 0 PID: 4013 at kernel/module.c:1146 module_put.part.44+0x15b/0x290
        Modules linked in: ip_vs(-) nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 veth ip6table_filter ip6_tables iptable_filter binfmt_misc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ext4 mbcache jbd2 ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd glue_helper joydev pcspkr snd_timer virtio_balloon snd soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk failover virtio_console qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crc32c_intel serio_raw drm virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv6]
        CPU: 0 PID: 4013 Comm: modprobe Tainted: G        W         5.4.0-rc1.upstream+ #741
        Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
        RIP: 0010:module_put.part.44+0x15b/0x290
        Code: 04 25 28 00 00 00 0f 85 18 01 00 00 48 83 c4 68 5b 5d 41 5c 41 5d 41 5e 41 5f c3 89 44 24 28 83 e8 01 89 c5 0f 89 57 ff ff ff <0f> 0b e9 78 ff ff ff 65 8b 1d 67 83 26 4a 89 db be 08 00 00 00 48
        RSP: 0018:ffff888050607c78 EFLAGS: 00010297
        RAX: 0000000000000003 RBX: ffffffffc1420590 RCX: ffffffffb5db0ef9
        RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffc1420590
        RBP: 00000000ffffffff R08: fffffbfff82840b3 R09: fffffbfff82840b3
        R10: 0000000000000001 R11: fffffbfff82840b2 R12: 1ffff1100a0c0f90
        R13: ffffffffc1420200 R14: ffff88804f533300 R15: ffff88804f533ca0
        FS:  00007f8ea9720740(0000) GS:ffff888053800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f3245abe000 CR3: 000000004c28a006 CR4: 00000000001606f0
        Call Trace:
         stop_sync_thread+0x3a3/0x7c0 [ip_vs]
         ip_vs_sync_net_cleanup+0x13/0x50 [ip_vs]
         ops_exit_list.isra.5+0x94/0x140
         unregister_pernet_operations+0x29d/0x460
         unregister_pernet_device+0x26/0x60
         ip_vs_cleanup+0x11/0x38 [ip_vs]
         __x64_sys_delete_module+0x2d5/0x400
         do_syscall_64+0xa5/0x4e0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f8ea8bf0db7
        Code: 73 01 c3 48 8b 0d b9 80 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 80 2c 00 f7 d8 64 89 01 48
        RSP: 002b:00007ffcd38d2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000000002436240 RCX: 00007f8ea8bf0db7
        RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00000000024362a8
        RBP: 0000000000000000 R08: 00007f8ea8eba060 R09: 00007f8ea8c658a0
        R10: 00007ffcd38d2a60 R11: 0000000000000206 R12: 0000000000000000
        R13: 0000000000000001 R14: 00000000024362a8 R15: 0000000000000000
        irq event stamp: 4538
        hardirqs last  enabled at (4537): [<ffffffffb6193dde>] quarantine_put+0x9e/0x170
        hardirqs last disabled at (4538): [<ffffffffb5a0556a>] trace_hardirqs_off_thunk+0x1a/0x20
        softirqs last  enabled at (4522): [<ffffffffb6f8ebe9>] sk_common_release+0x169/0x2d0
        softirqs last disabled at (4520): [<ffffffffb6f8eb3e>] sk_common_release+0xbe/0x2d0
      
      Check the return value of ip_vs_use_count_inc() and let its caller return
      proper error. Inside do_ip_vs_set_ctl() the module is already refcounted,
      we don't need refcount/derefcount there. Finally, in register_ip_vs_app()
      and start_sync_thread(), take the module refcount earlier and ensure it's
      released in the error path.
      
      Change since v1:
       - better return values in case of failure of ip_vs_use_count_inc(),
         thanks to Julian Anastasov
       - no need to increase/decrease the module refcount in ip_vs_set_ctl(),
         thanks to Julian Anastasov
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      102f4078
    • Pablo Neira Ayuso's avatar
      netfilter: nf_flow_table: set timeout before insertion into hashes · 81de0b50
      Pablo Neira Ayuso authored
      [ Upstream commit daf61b02 ]
      
      Other garbage collector might remove an entry not fully set up yet.
      
      [570953.958293] RIP: 0010:memcmp+0x9/0x50
      [...]
      [570953.958567]  flow_offload_hash_cmp+0x1e/0x30 [nf_flow_table]
      [570953.958585]  flow_offload_lookup+0x8c/0x110 [nf_flow_table]
      [570953.958606]  nf_flow_offload_ip_hook+0x135/0xb30 [nf_flow_table]
      [570953.958624]  nf_flow_offload_inet_hook+0x35/0x37 [nf_flow_table_inet]
      [570953.958646]  nf_hook_slow+0x3c/0xb0
      [570953.958664]  __netif_receive_skb_core+0x90f/0xb10
      [570953.958678]  ? ip_rcv_finish+0x82/0xa0
      [570953.958692]  __netif_receive_skb_one_core+0x3b/0x80
      [570953.958711]  __netif_receive_skb+0x18/0x60
      [570953.958727]  netif_receive_skb_internal+0x45/0xf0
      [570953.958741]  napi_gro_receive+0xcd/0xf0
      [570953.958764]  ixgbe_clean_rx_irq+0x432/0xe00 [ixgbe]
      [570953.958782]  ixgbe_poll+0x27b/0x700 [ixgbe]
      [570953.958796]  net_rx_action+0x284/0x3c0
      [570953.958817]  __do_softirq+0xcc/0x27c
      [570953.959464]  irq_exit+0xe8/0x100
      [570953.960097]  do_IRQ+0x59/0xe0
      [570953.960734]  common_interrupt+0xf/0xf
      
      Fixes: 43c8f131 ("netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast")
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      81de0b50
    • Himanshu Madhani's avatar
      scsi: qla2xxx: Initialized mailbox to prevent driver load failure · d45fc2ed
      Himanshu Madhani authored
      [ Upstream commit c2ff2a36 ]
      
      This patch fixes issue with Gen7 adapter in a blade environment where one
      of the ports will not be detected by driver. Firmware expects mailbox 11 to
      be set or cleared by driver for newer ISP.
      
      Following message is seen in the log file:
      
      [   18.810892] qla2xxx [0000:d8:00.0]-1820:1: **** Failed=102 mb[0]=4005 mb[1]=37 mb[2]=20 mb[3]=8
      [   18.819596]  cmd=2 ****
      
      [mkp: typos]
      
      Link: https://lore.kernel.org/r/20191022193643.7076-2-hmadhani@marvell.comSigned-off-by: default avatarHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d45fc2ed
    • Daniel Wagner's avatar
      scsi: lpfc: Honor module parameter lpfc_use_adisc · b6612a3d
      Daniel Wagner authored
      [ Upstream commit 0fd103cc ]
      
      The initial lpfc_desc_set_adisc implementation in commit
      dea3101e ("lpfc: add Emulex FC driver version 8.0.28") enabled ADISC if
      
      	cfg_use_adisc && RSCN_MODE && FCP_2_DEVICE
      
      In commit 92d7f7b0 ("[SCSI] lpfc: NPIV: add NPIV support on top of
      SLI-3") this changed to
      
      	(cfg_use_adisc && RSC_MODE) || FCP_2_DEVICE
      
      and later in commit ffc95493 ("[SCSI] lpfc 8.3.13: FC Discovery Fixes
      and enhancements.") to
      
      	(cfg_use_adisc && RSC_MODE) || (FCP_2_DEVICE && FCP_TARGET)
      
      A customer reports that after a devloss, an ADISC failure is logged. It
      turns out the ADISC flag is set even the user explicitly set lpfc_use_adisc
      = 0.
      
      [Sat Dec 22 22:55:58 2018] lpfc 0000:82:00.0: 2:(0):0203 Devloss timeout on WWPN 50:01:43:80:12:8e:40:20 NPort x05df00 Data: x82000000 x8 xa
      [Sat Dec 22 23:08:20 2018] lpfc 0000:82:00.0: 2:(0):2755 ADISC failure DID:05DF00 Status:x9/x70000
      
      [mkp: fixed Hannes' email]
      
      Fixes: 92d7f7b0 ("[SCSI] lpfc: NPIV: add NPIV support on top of SLI-3")
      Cc: Dick Kennedy <dick.kennedy@broadcom.com>
      Cc: James Smart <james.smart@broadcom.com>
      Link: https://lore.kernel.org/r/20191022072112.132268-1-dwagner@suse.deReviewed-by: default avatarHannes Reinecke <hare@suse.de>
      Reviewed-by: default avatarJames Smart <james.smart@broadcom.com>
      Signed-off-by: default avatarDaniel Wagner <dwagner@suse.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b6612a3d
    • Hillf Danton's avatar
      net: openvswitch: free vport unless register_netdevice() succeeds · 4e80e561
      Hillf Danton authored
      [ Upstream commit 9464cc37 ]
      
      syzbot found the following crash on:
      
      HEAD commit:    1e78030e Merge tag 'mmc-v5.3-rc1' of git://git.kernel.org/..
      git tree:       upstream
      console output: https://syzkaller.appspot.com/x/log.txt?x=148d3d1a600000
      kernel config:  https://syzkaller.appspot.com/x/.config?x=30cef20daf3e9977
      dashboard link: https://syzkaller.appspot.com/bug?extid=13210896153522fe1ee5
      compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
      syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=136aa8c4600000
      C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=109ba792600000
      
      =====================================================================
      BUG: memory leak
      unreferenced object 0xffff8881207e4100 (size 128):
         comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s)
         hex dump (first 32 bytes):
           00 70 16 18 81 88 ff ff 80 af 8c 22 81 88 ff ff  .p........."....
           00 b6 23 17 81 88 ff ff 00 00 00 00 00 00 00 00  ..#.............
         backtrace:
           [<000000000eb78212>] kmemleak_alloc_recursive  include/linux/kmemleak.h:43 [inline]
           [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline]
           [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline]
           [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
           [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline]
           [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline]
           [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0  net/openvswitch/vport.c:130
           [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0  net/openvswitch/vport-internal_dev.c:164
           [<0000000056ee7c13>] ovs_vport_add+0x81/0x190  net/openvswitch/vport.c:199
           [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194
           [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410  net/openvswitch/datapath.c:1614
           [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0  net/netlink/genetlink.c:629
           [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654
           [<000000006694b647>] netlink_rcv_skb+0x61/0x170  net/netlink/af_netlink.c:2477
           [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665
           [<00000000dad42a47>] netlink_unicast_kernel  net/netlink/af_netlink.c:1302 [inline]
           [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0  net/netlink/af_netlink.c:1328
           [<0000000067e6b079>] netlink_sendmsg+0x270/0x480  net/netlink/af_netlink.c:1917
           [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline]
           [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657
           [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311
           [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356
           [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline]
           [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline]
           [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363
      
      BUG: memory leak
      unreferenced object 0xffff88811723b600 (size 64):
         comm "syz-executor032", pid 7014, jiffies 4294944027 (age 13.830s)
         hex dump (first 32 bytes):
           01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00  ................
           00 00 00 00 00 00 00 00 02 00 00 00 05 35 82 c1  .............5..
         backtrace:
           [<00000000352f46d8>] kmemleak_alloc_recursive  include/linux/kmemleak.h:43 [inline]
           [<00000000352f46d8>] slab_post_alloc_hook mm/slab.h:522 [inline]
           [<00000000352f46d8>] slab_alloc mm/slab.c:3319 [inline]
           [<00000000352f46d8>] __do_kmalloc mm/slab.c:3653 [inline]
           [<00000000352f46d8>] __kmalloc+0x169/0x300 mm/slab.c:3664
           [<000000008e48f3d1>] kmalloc include/linux/slab.h:557 [inline]
           [<000000008e48f3d1>] ovs_vport_set_upcall_portids+0x54/0xd0  net/openvswitch/vport.c:343
           [<00000000541e4f4a>] ovs_vport_alloc+0x7f/0xf0  net/openvswitch/vport.c:139
           [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0  net/openvswitch/vport-internal_dev.c:164
           [<0000000056ee7c13>] ovs_vport_add+0x81/0x190  net/openvswitch/vport.c:199
           [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194
           [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410  net/openvswitch/datapath.c:1614
           [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0  net/netlink/genetlink.c:629
           [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654
           [<000000006694b647>] netlink_rcv_skb+0x61/0x170  net/netlink/af_netlink.c:2477
           [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665
           [<00000000dad42a47>] netlink_unicast_kernel  net/netlink/af_netlink.c:1302 [inline]
           [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0  net/netlink/af_netlink.c:1328
           [<0000000067e6b079>] netlink_sendmsg+0x270/0x480  net/netlink/af_netlink.c:1917
           [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline]
           [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657
           [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311
           [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356
      
      BUG: memory leak
      unreferenced object 0xffff8881228ca500 (size 128):
         comm "syz-executor032", pid 7015, jiffies 4294944622 (age 7.880s)
         hex dump (first 32 bytes):
           00 f0 27 18 81 88 ff ff 80 ac 8c 22 81 88 ff ff  ..'........"....
           40 b7 23 17 81 88 ff ff 00 00 00 00 00 00 00 00  @.#.............
         backtrace:
           [<000000000eb78212>] kmemleak_alloc_recursive  include/linux/kmemleak.h:43 [inline]
           [<000000000eb78212>] slab_post_alloc_hook mm/slab.h:522 [inline]
           [<000000000eb78212>] slab_alloc mm/slab.c:3319 [inline]
           [<000000000eb78212>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
           [<00000000006ea6c6>] kmalloc include/linux/slab.h:552 [inline]
           [<00000000006ea6c6>] kzalloc include/linux/slab.h:748 [inline]
           [<00000000006ea6c6>] ovs_vport_alloc+0x37/0xf0  net/openvswitch/vport.c:130
           [<00000000f9a04a7d>] internal_dev_create+0x24/0x1d0  net/openvswitch/vport-internal_dev.c:164
           [<0000000056ee7c13>] ovs_vport_add+0x81/0x190  net/openvswitch/vport.c:199
           [<000000005434efc7>] new_vport+0x19/0x80 net/openvswitch/datapath.c:194
           [<00000000b7b253f1>] ovs_dp_cmd_new+0x22f/0x410  net/openvswitch/datapath.c:1614
           [<00000000e0988518>] genl_family_rcv_msg+0x2ab/0x5b0  net/netlink/genetlink.c:629
           [<00000000d0cc9347>] genl_rcv_msg+0x54/0x9c net/netlink/genetlink.c:654
           [<000000006694b647>] netlink_rcv_skb+0x61/0x170  net/netlink/af_netlink.c:2477
           [<0000000088381f37>] genl_rcv+0x29/0x40 net/netlink/genetlink.c:665
           [<00000000dad42a47>] netlink_unicast_kernel  net/netlink/af_netlink.c:1302 [inline]
           [<00000000dad42a47>] netlink_unicast+0x1ec/0x2d0  net/netlink/af_netlink.c:1328
           [<0000000067e6b079>] netlink_sendmsg+0x270/0x480  net/netlink/af_netlink.c:1917
           [<00000000aab08a47>] sock_sendmsg_nosec net/socket.c:637 [inline]
           [<00000000aab08a47>] sock_sendmsg+0x54/0x70 net/socket.c:657
           [<000000004cb7c11d>] ___sys_sendmsg+0x393/0x3c0 net/socket.c:2311
           [<00000000c4901c63>] __sys_sendmsg+0x80/0xf0 net/socket.c:2356
           [<00000000c10abb2d>] __do_sys_sendmsg net/socket.c:2365 [inline]
           [<00000000c10abb2d>] __se_sys_sendmsg net/socket.c:2363 [inline]
           [<00000000c10abb2d>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2363
      =====================================================================
      
      The function in net core, register_netdevice(), may fail with vport's
      destruction callback either invoked or not. After commit 309b6697
      ("net: openvswitch: do not free vport if register_netdevice() is failed."),
      the duty to destroy vport is offloaded from the driver OTOH, which ends
      up in the memory leak reported.
      
      It is fixed by releasing vport unless device is registered successfully.
      To do that, the callback assignment is defered until device is registered.
      
      Reported-by: syzbot+13210896153522fe1ee5@syzkaller.appspotmail.com
      Fixes: 309b6697 ("net: openvswitch: do not free vport if register_netdevice() is failed.")
      Cc: Taehee Yoo <ap420073@gmail.com>
      Cc: Greg Rose <gvrose8192@gmail.com>
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Andrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      Acked-by: default avatarPravin B Shelar <pshelar@ovn.org>
      [sbrivio: this was sent to dev@openvswitch.org and never made its way
       to netdev -- resending original patch]
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: default avatarGreg Rose <gvrose8192@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4e80e561
    • Dan Carpenter's avatar
      RDMA/uverbs: Prevent potential underflow · 02725331
      Dan Carpenter authored
      [ Upstream commit a9018adf ]
      
      The issue is in drivers/infiniband/core/uverbs_std_types_cq.c in the
      UVERBS_HANDLER(UVERBS_METHOD_CQ_CREATE) function.  We check that:
      
              if (attr.comp_vector >= attrs->ufile->device->num_comp_vectors) {
      
      But we don't check if "attr.comp_vector" is negative.  It could
      potentially lead to an array underflow.  My concern would be where
      cq->vector is used in the create_cq() function from the cxgb4 driver.
      
      And really "attr.comp_vector" is appears as a u32 to user space so that's
      the right type to use.
      
      Fixes: 9ee79fce ("IB/core: Add completion queue (cq) object actions")
      Link: https://lore.kernel.org/r/20191011133419.GA22905@mwandaSigned-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      02725331
    • Hannes Reinecke's avatar
      scsi: qla2xxx: fixup incorrect usage of host_byte · d582769a
      Hannes Reinecke authored
      [ Upstream commit 66cf50e6 ]
      
      DRIVER_ERROR is a a driver byte setting, not a host byte.  The qla2xxx
      driver should rather return DID_ERROR here to be in line with the other
      drivers.
      
      Link: https://lore.kernel.org/r/20191018140458.108278-1-hare@suse.deSigned-off-by: default avatarHannes Reinecke <hare@suse.com>
      Acked-by: default avatarHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d582769a
    • Navid Emamdoost's avatar
      net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq · 42de3a90
      Navid Emamdoost authored
      [ Upstream commit c8c2a057 ]
      
      In mlx5_fpga_conn_create_cq if mlx5_vector2eqn fails the allocated
      memory should be released.
      
      Fixes: 537a5057 ("net/mlx5: FPGA, Add high-speed connection routines")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      42de3a90
    • Tariq Toukan's avatar
      net/mlx5e: TX, Fix consumer index of error cqe dump · 7dfdcd94
      Tariq Toukan authored
      [ Upstream commit 61ea02d2 ]
      
      The completion queue consumer index increments upon a call to
      mlx5_cqwq_pop().
      When dumping an error CQE, the index is already incremented.
      Decrease one for the print command.
      
      Fixes: 16cc14d8 ("net/mlx5e: Dump xmit error completions")
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7dfdcd94
    • Kamal Heib's avatar
      RDMA/qedr: Fix reported firmware version · 48dd7128
      Kamal Heib authored
      [ Upstream commit b806c94e ]
      
      Remove spaces from the reported firmware version string.
      Actual value:
      $ cat /sys/class/infiniband/qedr0/fw_ver
      8. 37. 7. 0
      
      Expected value:
      $ cat /sys/class/infiniband/qedr0/fw_ver
      8.37.7.0
      
      Fixes: ec72fce4 ("qedr: Add support for RoCE HW init")
      Signed-off-by: default avatarKamal Heib <kamalheib1@gmail.com>
      Acked-by: Michal Kalderon <michal.kalderon@marvell.com>
      Link: https://lore.kernel.org/r/20191007210730.7173-1-kamalheib1@gmail.comSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      48dd7128
    • Potnuri Bharat Teja's avatar
      iw_cxgb4: fix ECN check on the passive accept · 6208c2bf
      Potnuri Bharat Teja authored
      [ Upstream commit 612e0486 ]
      
      pass_accept_req() is using the same skb for handling accept request and
      sending accept reply to HW. Here req and rpl structures are pointing to
      same skb->data which is over written by INIT_TP_WR() and leads to
      accessing corrupt req fields in accept_cr() while checking for ECN flags.
      Reordered code in accept_cr() to fetch correct req fields.
      
      Fixes: 92e7ae71 ("iw_cxgb4: Choose appropriate hw mtu index and ISS for iWARP connections")
      Signed-off-by: default avatarPotnuri Bharat Teja <bharat@chelsio.com>
      Link: https://lore.kernel.org/r/20191003104353.11590-1-bharat@chelsio.comSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6208c2bf
    • Rafi Wiener's avatar
      RDMA/mlx5: Clear old rate limit when closing QP · 89aa9e26
      Rafi Wiener authored
      [ Upstream commit c8973df2 ]
      
      Before QP is closed it changes to ERROR state, when this happens
      the QP was left with old rate limit that was already removed from
      the table.
      
      Fixes: 7d29f349 ("IB/mlx5: Properly adjust rate limit on QP state transitions")
      Signed-off-by: default avatarRafi Wiener <rafiw@mellanox.com>
      Signed-off-by: default avatarOleg Kuporosov <olegk@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leonro@mellanox.com>
      Link: https://lore.kernel.org/r/20191002120243.16971-1-leon@kernel.orgSigned-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      89aa9e26
    • Zhang Lixu's avatar
      HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() · d6706b2e
      Zhang Lixu authored
      [ Upstream commit 16ff7bf6 ]
      
      When allocating tx ring buffers failed, should free tx buffers, not rx buffers.
      Signed-off-by: default avatarZhang Lixu <lixu.zhang@intel.com>
      Acked-by: default avatarSrinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d6706b2e
    • Baolin Wang's avatar
      dmaengine: sprd: Fix the possible memory leak issue · 113a154e
      Baolin Wang authored
      [ Upstream commit ec1ac309 ]
      
      If we terminate the channel to free all descriptors associated with this
      channel, we will leak the memory of current descriptor if the current
      descriptor is not completed, since it had been deteled from the desc_issued
      list and have not been added into the desc_completed list.
      
      Thus we should check if current descriptor is completed or not, when freeing
      the descriptors associated with one channel, if not, we should free it to
      avoid this issue.
      
      Fixes: 9b3b8171 ("dmaengine: sprd: Add Spreadtrum DMA driver")
      Reported-by: default avatarZhenfang Wang <zhenfang.wang@unisoc.com>
      Tested-by: default avatarZhenfang Wang <zhenfang.wang@unisoc.com>
      Signed-off-by: default avatarBaolin Wang <baolin.wang@linaro.org>
      Link: https://lore.kernel.org/r/170dbbc6d5366b6fa974ce2d366652e23a334251.1570609788.git.baolin.wang@linaro.orgSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      113a154e
    • Radhey Shyam Pandey's avatar
      dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config · 6040f96d
      Radhey Shyam Pandey authored
      [ Upstream commit 6c6de1dd ]
      
      In vdma_channel_set_config clear the delay, frame count and master mask
      before updating their new values. It avoids programming incorrect state
      when input parameters are different from default.
      Signed-off-by: default avatarRadhey Shyam Pandey <radhey.shyam.pandey@xilinx.com>
      Acked-by: default avatarAppana Durga Kedareswara rao <appana.durga.rao@xilinx.com>
      Signed-off-by: default avatarMichal Simek <michal.simek@xilinx.com>
      Link: https://lore.kernel.org/r/1569495060-18117-3-git-send-email-radhey.shyam.pandey@xilinx.comSigned-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6040f96d
    • Nicolas Boichat's avatar
      HID: google: add magnemite/masterball USB ids · 78e7e024
      Nicolas Boichat authored
      [ Upstream commit 9e4dbc46 ]
      
      Add 2 additional hammer-like devices.
      Signed-off-by: default avatarNicolas Boichat <drinkcat@chromium.org>
      Signed-off-by: default avatarJiri Kosina <jkosina@suse.cz>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      78e7e024
    • Vidya Sagar's avatar
      PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 · 8181146c
      Vidya Sagar authored
      commit 7be142ca upstream.
      
      The PCI Tegra controller conversion to a device tree configurable
      driver in commit d1523b52 ("PCI: tegra: Move PCIe driver
      to drivers/pci/host") implied that code for the driver can be
      compiled in for a kernel supporting multiple platforms.
      
      Unfortunately, a blind move of the code did not check that some of the
      quirks that were applied in arch/arm (eg enabling Relaxed Ordering on
      all PCI devices - since the quirk hook erroneously matches PCI_ANY_ID
      for both Vendor-ID and Device-ID) are now applied in all kernels that
      compile the PCI Tegra controlled driver, DT and ACPI alike.
      
      This is completely wrong, in that enablement of Relaxed Ordering is only
      required by default in Tegra20 platforms as described in the Tegra20
      Technical Reference Manual (available at
      https://developer.nvidia.com/embedded/downloads#?search=tegra%202 in
      Section 34.1, where it is mentioned that Relaxed Ordering bit needs to
      be enabled in its root ports to avoid deadlock in hardware) and in the
      Tegra30 platforms for the same reasons (unfortunately not documented
      in the TRM).
      
      There is no other strict requirement on PCI devices Relaxed Ordering
      enablement on any other Tegra platforms or PCI host bridge driver.
      
      Fix this quite upsetting situation by limiting the vendor and device IDs
      to which the Relaxed Ordering quirk applies to the root ports in
      question, reported above.
      Signed-off-by: default avatarVidya Sagar <vidyas@nvidia.com>
      [lorenzo.pieralisi@arm.com: completely rewrote the commit log/fixes tag]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Acked-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8181146c
    • Suwan Kim's avatar
      usbip: Implement SG support to vhci-hcd and stub driver · e2dd254b
      Suwan Kim authored
      commit ea44d190 upstream.
      
      There are bugs on vhci with usb 3.0 storage device. In USB, each SG
      list entry buffer should be divisible by the bulk max packet size.
      But with native SG support, this problem doesn't matter because the
      SG buffer is treated as contiguous buffer. But without native SG
      support, USB storage driver breaks SG list into several URBs and the
      error occurs because of a buffer size of URB that cannot be divided
      by the bulk max packet size. The error situation is as follows.
      
      When USB Storage driver requests 31.5 KB data and has SG list which
      has 3584 bytes buffer followed by 7 4096 bytes buffer for some
      reason. USB Storage driver splits this SG list into several URBs
      because VHCI doesn't support SG and sends them separately. So the
      first URB buffer size is 3584 bytes. When receiving data from device,
      USB 3.0 device sends data packet of 1024 bytes size because the max
      packet size of BULK pipe is 1024 bytes. So device sends 4096 bytes.
      But the first URB buffer has only 3584 bytes buffer size. So host
      controller terminates the transfer even though there is more data to
      receive. So, vhci needs to support SG transfer to prevent this error.
      
      In this patch, vhci supports SG regardless of whether the server's
      host controller supports SG or not, because stub driver splits SG
      list into several URBs if the server's host controller doesn't
      support SG.
      
      To support SG, vhci sets URB_DMA_MAP_SG flag in urb->transfer_flags
      if URB has SG list and this flag will tell stub driver to use SG
      list. After receiving urb from stub driver, vhci clear URB_DMA_MAP_SG
      flag to avoid unnecessary DMA unmapping in HCD.
      
      vhci sends each SG list entry to stub driver. Then, stub driver sees
      the total length of the buffer and allocates SG table and pages
      according to the total buffer length calling sgl_alloc(). After stub
      driver receives completed URB, it again sends each SG list entry to
      vhci.
      
      If the server's host controller doesn't support SG, stub driver
      breaks a single SG request into several URBs and submits them to
      the server's host controller. When all the split URBs are completed,
      stub driver reassembles the URBs into a single return command and
      sends it to vhci.
      
      Moreover, in the situation where vhci supports SG, but stub driver
      does not, or vice versa, usbip works normally. Because there is no
      protocol modification, there is no problem in communication between
      server and client even if the one has a kernel without SG support.
      
      In the case of vhci supports SG and stub driver doesn't, because
      vhci sends only the total length of the buffer to stub driver as
      it did before the patch applied, stub driver only needs to allocate
      the required length of buffers using only kmalloc() regardless of
      whether vhci supports SG or not. But stub driver has to allocate
      buffer with kmalloc() as much as the total length of SG buffer which
      is quite huge when vhci sends SG request, so it has overhead in
      buffer allocation in this situation.
      
      If stub driver needs to send data buffer to vhci because of IN pipe,
      stub driver also sends only total length of buffer as metadata and
      then sends real data as vhci does. Then vhci receive data from stub
      driver and store it to the corresponding buffer of SG list entry.
      
      And for the case of stub driver supports SG and vhci doesn't, since
      the USB storage driver checks that vhci doesn't support SG and sends
      the request to stub driver by splitting the SG list into multiple
      URBs, stub driver allocates a buffer for each URB with kmalloc() as
      it did before this patch.
      
      * Test environment
      
      Test uses two difference machines and two different kernel version
      to make mismatch situation between the client and the server where
      vhci supports SG, but stub driver does not, or vice versa. All tests
      are conducted in both full SG support that both vhci and stub support
      SG and half SG support that is the mismatch situation. Test kernel
      version is 5.3-rc6 with commit "usb: add a HCD_DMA flag instead of
      guestimating DMA capabilities" to avoid unnecessary DMA mapping and
      unmapping.
      
       - Test kernel version
          - 5.3-rc6 with SG support
          - 5.1.20-200.fc29.x86_64 without SG support
      
      * SG support test
      
       - Test devices
          - Super-speed storage device - SanDisk Ultra USB 3.0
          - High-speed storage device - SMI corporation USB 2.0 flash drive
      
       - Test description
      
      Test read and write operation of mass storage device that uses the
      BULK transfer. In test, the client reads and writes files whose size
      is over 1G and it works normally.
      
      * Regression test
      
       - Test devices
          - Super-speed device - Logitech Brio webcam
          - High-speed device  - Logitech C920 HD Pro webcam
          - Full-speed device  - Logitech bluetooth mouse
                               - Britz BR-Orion speaker
          - Low-speed device   - Logitech wired mouse
      
       - Test description
      
      Moving and click test for mouse. To test the webcam, use gnome-cheese.
      To test the speaker, play music and video on the client. All works
      normally.
      
      * VUDC compatibility test
      
      VUDC also works well with this patch. Tests are done with two USB
      gadget created by CONFIGFS USB gadget. Both use the BULK pipe.
      
              1. Serial gadget
              2. Mass storage gadget
      
       - Serial gadget test
      
      Serial gadget on the host sends and receives data using cat command
      on the /dev/ttyGS<N>. The client uses minicom to communicate with
      the serial gadget.
      
       - Mass storage gadget test
      
      After connecting the gadget with vhci, use "dd" to test read and
      write operation on the client side.
      
      Read  - dd if=/dev/sd<N> iflag=direct of=/dev/null bs=1G count=1
      Write - dd if=<my file path> iflag=direct of=/dev/sd<N> bs=1G count=1
      Signed-off-by: default avatarSuwan Kim <suwan.kim027@gmail.com>
      Acked-by: default avatarShuah khan <skhan@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20190828032741.12234-1-suwan.kim027@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2dd254b
    • Shuah Khan's avatar
      usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path · f865ae47
      Shuah Khan authored
      commit 2c904963 upstream.
      
      Fix vhci_urb_enqueue() to print debug msg and return error instead of
      failing with BUG_ON.
      Signed-off-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f865ae47
    • Qian Cai's avatar
      sched/fair: Fix -Wunused-but-set-variable warnings · e9c0fc4a
      Qian Cai authored
      commit 763a9ec0 upstream.
      
      Commit:
      
         de53fd7a ("sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices")
      
      introduced a few compilation warnings:
      
        kernel/sched/fair.c: In function '__refill_cfs_bandwidth_runtime':
        kernel/sched/fair.c:4365:6: warning: variable 'now' set but not used [-Wunused-but-set-variable]
        kernel/sched/fair.c: In function 'start_cfs_bandwidth':
        kernel/sched/fair.c:4992:6: warning: variable 'overrun' set but not used [-Wunused-but-set-variable]
      
      Also, __refill_cfs_bandwidth_runtime() does no longer update the
      expiration time, so fix the comments accordingly.
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarBen Segall <bsegall@google.com>
      Reviewed-by: default avatarDave Chiluk <chiluk+linux@indeed.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: pauld@redhat.com
      Fixes: de53fd7a ("sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices")
      Link: https://lkml.kernel.org/r/1566326455-8038-1-git-send-email-cai@lca.pwSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      e9c0fc4a
    • Dave Chiluk's avatar
      sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices · 502bd151
      Dave Chiluk authored
      commit de53fd7a upstream.
      
      It has been observed, that highly-threaded, non-cpu-bound applications
      running under cpu.cfs_quota_us constraints can hit a high percentage of
      periods throttled while simultaneously not consuming the allocated
      amount of quota. This use case is typical of user-interactive non-cpu
      bound applications, such as those running in kubernetes or mesos when
      run on multiple cpu cores.
      
      This has been root caused to cpu-local run queue being allocated per cpu
      bandwidth slices, and then not fully using that slice within the period.
      At which point the slice and quota expires. This expiration of unused
      slice results in applications not being able to utilize the quota for
      which they are allocated.
      
      The non-expiration of per-cpu slices was recently fixed by
      'commit 512ac999 ("sched/fair: Fix bandwidth timer clock drift
      condition")'. Prior to that it appears that this had been broken since
      at least 'commit 51f2176d ("sched/fair: Fix unlocked reads of some
      cfs_b->quota/period")' which was introduced in v3.16-rc1 in 2014. That
      added the following conditional which resulted in slices never being
      expired.
      
      if (cfs_rq->runtime_expires != cfs_b->runtime_expires) {
      	/* extend local deadline, drift is bounded above by 2 ticks */
      	cfs_rq->runtime_expires += TICK_NSEC;
      
      Because this was broken for nearly 5 years, and has recently been fixed
      and is now being noticed by many users running kubernetes
      (https://github.com/kubernetes/kubernetes/issues/67577) it is my opinion
      that the mechanisms around expiring runtime should be removed
      altogether.
      
      This allows quota already allocated to per-cpu run-queues to live longer
      than the period boundary. This allows threads on runqueues that do not
      use much CPU to continue to use their remaining slice over a longer
      period of time than cpu.cfs_period_us. However, this helps prevent the
      above condition of hitting throttling while also not fully utilizing
      your cpu quota.
      
      This theoretically allows a machine to use slightly more than its
      allotted quota in some periods. This overflow would be bounded by the
      remaining quota left on each per-cpu runqueueu. This is typically no
      more than min_cfs_rq_runtime=1ms per cpu. For CPU bound tasks this will
      change nothing, as they should theoretically fully utilize all of their
      quota in each period. For user-interactive tasks as described above this
      provides a much better user/application experience as their cpu
      utilization will more closely match the amount they requested when they
      hit throttling. This means that cpu limits no longer strictly apply per
      period for non-cpu bound applications, but that they are still accurate
      over longer timeframes.
      
      This greatly improves performance of high-thread-count, non-cpu bound
      applications with low cfs_quota_us allocation on high-core-count
      machines. In the case of an artificial testcase (10ms/100ms of quota on
      80 CPU machine), this commit resulted in almost 30x performance
      improvement, while still maintaining correct cpu quota restrictions.
      That testcase is available at https://github.com/indeedeng/fibtest.
      
      Fixes: 512ac999 ("sched/fair: Fix bandwidth timer clock drift condition")
      Signed-off-by: default avatarDave Chiluk <chiluk+linux@indeed.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Reviewed-by: default avatarPhil Auld <pauld@redhat.com>
      Reviewed-by: default avatarBen Segall <bsegall@google.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: John Hammond <jhammond@indeed.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: Kyle Anderson <kwa@yelp.com>
      Cc: Gabriel Munos <gmunoz@netflix.com>
      Cc: Peter Oskolkov <posk@posk.io>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Brendan Gregg <bgregg@netflix.com>
      Link: https://lkml.kernel.org/r/1563900266-19734-2-git-send-email-chiluk+linux@indeed.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      502bd151
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix copy&paste error in the validator · 4ebee487
      Takashi Iwai authored
      commit ba8bf096 upstream.
      
      The recently introduced USB-audio descriptor validator had a stupid
      copy&paste error that may lead to an unexpected overlook of too short
      descriptors for processing and extension units.  It's likely the cause
      of the report triggered by syzkaller fuzzer.  Let's fix it.
      
      Fixes: 57f87706 ("ALSA: usb-audio: More validations of descriptor units")
      Reported-by: syzbot+0620f79a1978b1133fd7@syzkaller.appspotmail.com
      Link: https://lore.kernel.org/r/s5hsgnkdbsl.wl-tiwai@suse.deSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ebee487
    • Dan Carpenter's avatar
      ALSA: usb-audio: remove some dead code · e0051889
      Dan Carpenter authored
      commit b39e077f upstream.
      
      We recently cleaned up the error handling in commit 52c3e317 ("ALSA:
      usb-audio: Unify the release of usb_mixer_elem_info objects") but
      accidentally left this stray return.
      
      Fixes: 52c3e317 ("ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e0051889
    • Takashi Iwai's avatar
      ALSA: usb-audio: Fix possible NULL dereference at create_yamaha_midi_quirk() · 4f6c5200
      Takashi Iwai authored
      commit 60849562 upstream.
      
      The previous addition of descriptor validation may lead to a NULL
      dereference at create_yamaha_midi_quirk() when either injd or outjd is
      NULL.  Add proper non-NULL checks.
      
      Fixes: 57f87706 ("ALSA: usb-audio: More validations of descriptor units")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f6c5200
    • Takashi Iwai's avatar
      ALSA: usb-audio: Clean up check_input_term() · 3a0cdf21
      Takashi Iwai authored
      commit e0ccdef9 upstream.
      
      The primary changes in this patch are cleanups of __check_input_term()
      and move to a non-nested switch-case block by evaluating the pair of
      UAC version and the unit type, as we've done for parse_audio_unit().
      Also each parser is split into the function for readability.
      
      Now, a slight behavior change by this cleanup is the handling of
      processing and extension units.  Formerly we've dealt with them
      differently between UAC1/2 and UAC3; the latter returns an error if no
      input sources are available, while the former continues to parse.
      
      In this patch, unify the behavior in all cases: when input sources are
      available, it parses recursively, then override the type and the id,
      as well as channel information if not provided yet.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a0cdf21
    • Takashi Iwai's avatar
      ALSA: usb-audio: Remove superfluous bLength checks · 9feeaa50
      Takashi Iwai authored
      commit b8e4f1fd upstream.
      
      Now that we got the more comprehensive validation code for USB-audio
      descriptors, the check of overflow in each descriptor unit parser
      became superfluous.  Drop some of the obvious cases.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9feeaa50
    • Takashi Iwai's avatar
      ALSA: usb-audio: Unify the release of usb_mixer_elem_info objects · f0e164f6
      Takashi Iwai authored
      commit 52c3e317 upstream.
      
      Instead of the direct kfree() calls, introduce a new local helper to
      release the usb_mixer_elem_info object.  This will be extended to do
      more than a single kfree() in the later patches.
      
      Also, use the standard goto instead of multiple calls in
      parse_audio_selector_unit() error paths.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f0e164f6
    • Takashi Iwai's avatar
      ALSA: usb-audio: Simplify parse_audio_unit() · dae4d839
      Takashi Iwai authored
      commit 68e9fde2 upstream.
      
      Minor code refactoring by combining the UAC version and the type in
      the switch-case flow, so that we reduce the indentation and
      redundancy.  One good bonus is that the duplicated definition of the
      same type value (e.g. UAC2_EFFECT_UNIT) can be handled more cleanly.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dae4d839
    • Takashi Iwai's avatar
      ALSA: usb-audio: More validations of descriptor units · 17821e2f
      Takashi Iwai authored
      commit 57f87706 upstream.
      
      Introduce a new helper to validate each audio descriptor unit before
      and check the unit before actually accessing it.  This should harden
      against the OOB access cases with malformed descriptors that have been
      recently frequently reported by fuzzers.
      
      The existing descriptor checks are still kept although they become
      superfluous after this patch.  They'll be cleaned up eventually
      later.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      17821e2f
    • Al Viro's avatar
      configfs: fix a deadlock in configfs_symlink() · 5e36cf8e
      Al Viro authored
      commit 351e5d86 upstream.
      
      Configfs abuses symlink(2).  Unlike the normal filesystems, it
      wants the target resolved at symlink(2) time, like link(2) would've
      done.  The problem is that ->symlink() is called with the parent
      directory locked exclusive, so resolving the target inside the
      ->symlink() is easily deadlocked.
      
      Short of really ugly games in sys_symlink() itself, all we can
      do is to unlock the parent before resolving the target and
      relock it after.  However, that invalidates the checks done
      by the caller of ->symlink(), so we have to
      	* check that dentry is still where it used to be
      (it couldn't have been moved, but it could've been unhashed)
      	* recheck that it's still negative (somebody else
      might've successfully created a symlink with the same name
      while we were looking the target up)
      	* recheck the permissions on the parent directory.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e36cf8e
    • Al Viro's avatar
      configfs: provide exclusion between IO and removals · 0dfc45be
      Al Viro authored
      commit b0841eef upstream.
      
      Make sure that attribute methods are not called after the item
      has been removed from the tree.  To do so, we
      	* at the point of no return in removals, grab ->frag_sem
      exclusive and mark the fragment dead.
      	* call the methods of attributes with ->frag_sem taken
      shared and only after having verified that the fragment is still
      alive.
      
      	The main benefit is for method instances - they are
      guaranteed that the objects they are accessing *and* all ancestors
      are still there.  Another win is that we don't need to bother
      with extra refcount on config_item when opening a file -
      the item will be alive for as long as it stays in the tree, and
      we won't touch it/attributes/any associated data after it's
      been removed from the tree.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dfc45be
    • Al Viro's avatar
      configfs: new object reprsenting tree fragments · 25c118d8
      Al Viro authored
      commit 47320fbe upstream.
      
      Refcounted, hangs of configfs_dirent, created by operations that add
      fragments to configfs tree (mkdir and configfs_register_{subsystem,group}).
      Will be used in the next commit to provide exclusion between fragment
      removal and ->show/->store calls.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25c118d8
    • Al Viro's avatar
      configfs_register_group() shouldn't be (and isn't) called in rmdirable parts · 65524d64
      Al Viro authored
      commit f19e4ed1 upstream.
      
      revert cc57c073 "configfs: fix registered group removal"
      It was an attempt to handle something that fundamentally doesn't
      work - configfs_register_group() should never be done in a part
      of tree that can be rmdir'ed.  And in mainline it never had been,
      so let's not borrow trouble; the fix was racy anyway, it would take
      a lot more to make that work and desired semantics is not clear.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65524d64
    • Al Viro's avatar
      configfs: stash the data we need into configfs_buffer at open time · 2bd63490
      Al Viro authored
      commit ff4dd081 upstream.
      
      simplifies the ->read()/->write()/->release() instances nicely
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2bd63490
    • Johan Hovold's avatar
      can: peak_usb: fix slab info leak · a7be2deb
      Johan Hovold authored
      commit f7a1337f upstream.
      
      Fix a small slab info leak due to a failure to clear the command buffer
      at allocation.
      
      The first 16 bytes of the command buffer are always sent to the device
      in pcan_usb_send_cmd() even though only the first two may have been
      initialised in case no argument payload is provided (e.g. when waiting
      for a response).
      
      Fixes: bb478555 ("can: usb: PEAK-System Technik USB adapters driver core")
      Cc: stable <stable@vger.kernel.org>     # 3.4
      Reported-by: syzbot+863724e7128e14b26732@syzkaller.appspotmail.com
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7be2deb
    • Johan Hovold's avatar
      can: mcba_usb: fix use-after-free on disconnect · ce9b94da
      Johan Hovold authored
      commit 4d663649 upstream.
      
      The driver was accessing its driver data after having freed it.
      
      Fixes: 51f3baad ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
      Cc: stable <stable@vger.kernel.org>     # 4.12
      Cc: Remigiusz Kołłątaj <remigiusz.kollataj@mobica.com>
      Reported-by: syzbot+e29b17e5042bbc56fae9@syzkaller.appspotmail.com
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce9b94da
    • Wen Yang's avatar
      can: dev: add missing of_node_put() after calling of_get_child_by_name() · 5a9e37f2
      Wen Yang authored
      commit db9ee384 upstream.
      
      of_node_put() needs to be called when the device node which is got
      from of_get_child_by_name() finished using.
      
      Fixes: 2290aefa ("can: dev: Add support for limiting configured bitrate")
      Cc: Franklin S Cooper Jr <fcooper@ti.com>
      Signed-off-by: default avatarWen Yang <wenyang@linux.alibaba.com>
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a9e37f2
    • Navid Emamdoost's avatar
      can: gs_usb: gs_can_open(): prevent memory leak · 9289226f
      Navid Emamdoost authored
      commit fb5be6a7 upstream.
      
      In gs_can_open() if usb_submit_urb() fails the allocated urb should be
      released.
      
      Fixes: d08e973a ("can: gs_usb: Added support for the GS_USB CAN devices")
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9289226f
    • Marc Kleine-Budde's avatar
      can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak · 9f5c5942
      Marc Kleine-Budde authored
      commit ca913f1a upstream.
      
      If the rx-offload skb_queue is full can_rx_offload_queue_sorted() will
      not queue the skb and return with an error.
      
      None of the callers of this function, issue a kfree_skb() to free the
      not queued skb. This results in a memory leak.
      
      This patch fixes the problem by freeing the skb in case of a full queue.
      The return value is adjusted to -ENOBUFS to better reflect the actual
      problem.
      
      The device stats handling is left to the callers, as this function might
      be used in both the rx and tx path.
      
      Fixes: 55059f2b ("can: rx-offload: introduce can_rx_offload_get_echo_skb() and can_rx_offload_queue_sorted() functions")
      Cc: linux-stable <stable@vger.kernel.org>
      Cc: Martin Hundebøll <martin@geanix.com>
      Reported-by: default avatarMartin Hundebøll <martin@geanix.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f5c5942
    • Stephane Grosjean's avatar
      can: peak_usb: fix a potential out-of-sync while decoding packets · ef502d5a
      Stephane Grosjean authored
      commit de280f40 upstream.
      
      When decoding a buffer received from PCAN-USB, the first timestamp read in
      a packet is a 16-bit coded time base, and the next ones are an 8-bit
      offset to this base, regardless of the type of packet read.
      
      This patch corrects a potential loss of synchronization by using a
      timestamp index read from the buffer, rather than an index of received
      data packets, to determine on the sizeof the timestamp to be read from the
      packet being decoded.
      Signed-off-by: default avatarStephane Grosjean <s.grosjean@peak-system.com>
      Fixes: 46be265d ("can: usb: PEAK-System Technik PCAN-USB specific part")
      Cc: linux-stable <stable@vger.kernel.org>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ef502d5a