1. 20 Mar, 2020 40 commits
    • Zhenzhong Duan's avatar
      iommu/vt-d: Fix the wrong printing in RHSA parsing · 1d66a550
      Zhenzhong Duan authored
      commit b0bb0c22 upstream.
      
      When base address in RHSA structure doesn't match base address in
      each DRHD structure, the base address in last DRHD is printed out.
      
      This doesn't make sense when there are multiple DRHD units, fix it
      by printing the buggy RHSA's base address.
      Signed-off-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Signed-off-by: default avatarZhenzhong Duan <zhenzhong.duan@gmail.com>
      Fixes: fd0c8894 ("intel-iommu: Set a more specific taint flag for invalid BIOS DMAR tables")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d66a550
    • qize wang's avatar
      mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() · cb87b895
      qize wang authored
      commit 1e58252e upstream.
      
      mwifiex_process_tdls_action_frame() without checking
      the incoming tdls infomation element's vality before use it,
      this may cause multi heap buffer overflows.
      
      Fix them by putting vality check before use it.
      
      IE is TLV struct, but ht_cap and  ht_oper aren’t TLV struct.
      the origin marvell driver code is wrong:
      
      memcpy(&sta_ptr->tdls_cap.ht_oper, pos,....
      memcpy((u8 *)&sta_ptr->tdls_cap.ht_capb, pos,...
      
      Fix the bug by changing pos(the address of IE) to
      pos+2 ( the address of IE value ).
      Signed-off-by: default avatarqize wang <wangqize888888888@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarMatthias Maennich <maennich@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb87b895
    • Jakub Kicinski's avatar
      netfilter: cthelper: add missing attribute validation for cthelper · a2ecb2d1
      Jakub Kicinski authored
      commit c049b345 upstream.
      
      Add missing attribute validation for cthelper
      to the netlink policy.
      
      Fixes: 12f7a505 ("netfilter: add user-space connection tracking helper infrastructure")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2ecb2d1
    • Jakub Kicinski's avatar
      nl80211: add missing attribute validation for channel switch · 85a7e73a
      Jakub Kicinski authored
      commit 5cde05c6 upstream.
      
      Add missing attribute validation for NL80211_ATTR_OPER_CLASS
      to the netlink policy.
      
      Fixes: 1057d35e ("cfg80211: introduce TDLS channel switch commands")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20200303051058.4089398-4-kuba@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      85a7e73a
    • Jakub Kicinski's avatar
      nl80211: add missing attribute validation for beacon report scanning · 0a626cd0
      Jakub Kicinski authored
      commit 056e9375 upstream.
      
      Add missing attribute validation for beacon report scanning
      to the netlink policy.
      
      Fixes: 1d76250b ("nl80211: support beacon report scanning")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20200303051058.4089398-3-kuba@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a626cd0
    • Jakub Kicinski's avatar
      nl80211: add missing attribute validation for critical protocol indication · d4ffeafd
      Jakub Kicinski authored
      commit 0e1a1d85 upstream.
      
      Add missing attribute validation for critical protocol fields
      to the netlink policy.
      
      Fixes: 5de17984 ("cfg80211: introduce critical protocol indication from user-space")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Link: https://lore.kernel.org/r/20200303051058.4089398-2-kuba@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4ffeafd
    • Yonghyun Hwang's avatar
      iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page · 045bf097
      Yonghyun Hwang authored
      commit 77a1bce8 upstream.
      
      intel_iommu_iova_to_phys() has a bug when it translates an IOVA for a huge
      page onto its corresponding physical address. This commit fixes the bug by
      accomodating the level of page entry for the IOVA and adds IOVA's lower
      address to the physical address.
      
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Reviewed-by: default avatarMoritz Fischer <mdf@kernel.org>
      Signed-off-by: default avatarYonghyun Hwang <yonghyun@google.com>
      Fixes: 38717946 ("VT-d: Changes to support KVM")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      045bf097
    • Hans de Goede's avatar
      iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint · 5145afc8
      Hans de Goede authored
      commit 59833696 upstream.
      
      Quoting from the comment describing the WARN functions in
      include/asm-generic/bug.h:
      
       * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report
       * significant kernel issues that need prompt attention if they should ever
       * appear at runtime.
       *
       * Do not use these macros when checking for invalid external inputs
      
      The (buggy) firmware tables which the dmar code was calling WARN_TAINT
      for really are invalid external inputs. They are not under the kernel's
      control and the issues in them cannot be fixed by a kernel update.
      So logging a backtrace, which invites bug reports to be filed about this,
      is not helpful.
      
      Some distros, e.g. Fedora, have tools watching for the kernel backtraces
      logged by the WARN macros and offer the user an option to file a bug for
      this when these are encountered. The WARN_TAINT in warn_invalid_dmar()
      + another iommu WARN_TAINT, addressed in another patch, have lead to over
      a 100 bugs being filed this way.
      
      This commit replaces the WARN_TAINT("...") calls, with
      pr_warn(FW_BUG "...") + add_taint(TAINT_FIRMWARE_WORKAROUND, ...) calls
      avoiding the backtrace and thus also avoiding bug-reports being filed
      about this against the kernel.
      
      Fixes: fd0c8894 ("intel-iommu: Set a more specific taint flag for invalid BIOS DMAR tables")
      Fixes: e625b4a9 ("iommu/vt-d: Parse ANDD records")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Acked-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20200309140138.3753-2-hdegoede@redhat.com
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1564895Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5145afc8
    • Vladis Dronov's avatar
      efi: Fix a race and a buffer overflow while reading efivars via sysfs · 16d8f5de
      Vladis Dronov authored
      commit 286d3250 upstream.
      
      There is a race and a buffer overflow corrupting a kernel memory while
      reading an EFI variable with a size more than 1024 bytes via the older
      sysfs method. This happens because accessing struct efi_variable in
      efivar_{attr,size,data}_read() and friends is not protected from
      a concurrent access leading to a kernel memory corruption and, at best,
      to a crash. The race scenario is the following:
      
      CPU0:                                CPU1:
      efivar_attr_read()
        var->DataSize = 1024;
        efivar_entry_get(... &var->DataSize)
          down_interruptible(&efivars_lock)
                                           efivar_attr_read() // same EFI var
                                             var->DataSize = 1024;
                                             efivar_entry_get(... &var->DataSize)
                                               down_interruptible(&efivars_lock)
          virt_efi_get_variable()
          // returns EFI_BUFFER_TOO_SMALL but
          // var->DataSize is set to a real
          // var size more than 1024 bytes
          up(&efivars_lock)
                                               virt_efi_get_variable()
                                               // called with var->DataSize set
                                               // to a real var size, returns
                                               // successfully and overwrites
                                               // a 1024-bytes kernel buffer
                                               up(&efivars_lock)
      
      This can be reproduced by concurrent reading of an EFI variable which size
      is more than 1024 bytes:
      
        ts# for cpu in $(seq 0 $(nproc --ignore=1)); do ( taskset -c $cpu \
        cat /sys/firmware/efi/vars/KEKDefault*/size & ) ; done
      
      Fix this by using a local variable for a var's data buffer size so it
      does not get overwritten.
      
      Fixes: e14ab23d ("efivars: efivar_entry API")
      Reported-by: Bob Sanders <bob.sanders@hpe.com> and the LTP testsuite
      Signed-off-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200305084041.24053-2-vdronov@redhat.com
      Link: https://lore.kernel.org/r/20200308080859.21568-24-ardb@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16d8f5de
    • Eugeniy Paltsev's avatar
      ARC: define __ALIGN_STR and __ALIGN symbols for ARC · b5badebc
      Eugeniy Paltsev authored
      commit 8d92e992 upstream.
      
      The default defintions use fill pattern 0x90 for padding which for ARC
      generates unintended "ldh_s r12,[r0,0x20]" corresponding to opcode 0x9090
      
      So use ".align 4" which insert a "nop_s" instruction instead.
      
      Cc: stable@vger.kernel.org
      Acked-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarEugeniy Paltsev <Eugeniy.Paltsev@synopsys.com>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b5badebc
    • Vitaly Kuznetsov's avatar
      KVM: x86: clear stale x86_emulate_ctxt->intercept value · 3a91d55c
      Vitaly Kuznetsov authored
      commit 342993f9 upstream.
      
      After commit 07721fee ("KVM: nVMX: Don't emulate instructions in guest
      mode") Hyper-V guests on KVM stopped booting with:
      
       kvm_nested_vmexit:    rip fffff802987d6169 reason EPT_VIOLATION info1 181
          info2 0 int_info 0 int_info_err 0
       kvm_page_fault:       address febd0000 error_code 181
       kvm_emulate_insn:     0:fffff802987d6169: f3 a5
       kvm_emulate_insn:     0:fffff802987d6169: f3 a5 FAIL
       kvm_inj_exception:    #UD (0x0)
      
      "f3 a5" is a "rep movsw" instruction, which should not be intercepted
      at all.  Commit c44b4c6a ("KVM: emulate: clean up initializations in
      init_decode_cache") reduced the number of fields cleared by
      init_decode_cache() claiming that they are being cleared elsewhere,
      'intercept', however, is left uncleared if the instruction does not have
      any of the "slow path" flags (NotImpl, Stack, Op3264, Sse, Mmx, CheckPerm,
      NearBranch, No16 and of course Intercept itself).
      
      Fixes: c44b4c6a ("KVM: emulate: clean up initializations in init_decode_cache")
      Fixes: 07721fee ("KVM: nVMX: Don't emulate instructions in guest mode")
      Cc: stable@vger.kernel.org
      Suggested-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarVitaly Kuznetsov <vkuznets@redhat.com>
      Reviewed-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3a91d55c
    • Al Viro's avatar
      gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache · c919b9a1
      Al Viro authored
      commit 21039132 upstream.
      
      with the way fs/namei.c:do_last() had been done, ->atomic_open()
      instances needed to recognize the case when existing file got
      found with O_EXCL|O_CREAT, either by falling back to finish_no_open()
      or failing themselves.  gfs2 one didn't.
      
      Fixes: 6d4ade98 (GFS2: Add atomic_open support)
      Cc: stable@kernel.org # v3.11
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c919b9a1
    • Al Viro's avatar
      cifs_atomic_open(): fix double-put on late allocation failure · ca9a513b
      Al Viro authored
      commit d9a9f484 upstream.
      
      several iterations of ->atomic_open() calling conventions ago, we
      used to need fput() if ->atomic_open() failed at some point after
      successful finish_open().  Now (since 2016) it's not needed -
      struct file carries enough state to make fput() work regardless
      of the point in struct file lifecycle and discarding it on
      failure exits in open() got unified.  Unfortunately, I'd missed
      the fact that we had an instance of ->atomic_open() (cifs one)
      that used to need that fput(), as well as the stale comment in
      finish_open() demanding such late failure handling.  Trivially
      fixed...
      
      Fixes: fe9ec829 "do_last(): take fput() on error after opening to out:"
      Cc: stable@kernel.org # v4.7+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca9a513b
    • Colin Ian King's avatar
      drm/amd/display: remove duplicated assignment to grph_obj_type · 346ff2f6
      Colin Ian King authored
      commit d785476c upstream.
      
      Variable grph_obj_type is being assigned twice, one of these is
      redundant so remove it.
      
      Addresses-Coverity: ("Evaluation order violation")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: <nobuhiro1.iwamatsu@toshiba.co.jp>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      346ff2f6
    • Hillf Danton's avatar
      workqueue: don't use wq_select_unbound_cpu() for bound works · 3772b93d
      Hillf Danton authored
      commit aa202f1f upstream.
      
      wq_select_unbound_cpu() is designed for unbound workqueues only, but
      it's wrongly called when using a bound workqueue too.
      
      Fixing this ensures work queued to a bound workqueue with
      cpu=WORK_CPU_UNBOUND always runs on the local CPU.
      
      Before, that would happen only if wq_unbound_cpumask happened to include
      it (likely almost always the case), or was empty, or we got lucky with
      forced round-robin placement.  So restricting
      /sys/devices/virtual/workqueue/cpumask to a small subset of a machine's
      CPUs would cause some bound work items to run unexpectedly there.
      
      Fixes: ef557180 ("workqueue: schedule WORK_CPU_UNBOUND work on wq_unbound_cpumask CPUs")
      Cc: stable@vger.kernel.org # v4.5+
      Signed-off-by: default avatarHillf Danton <hdanton@sina.com>
      [dj: massage changelog]
      Signed-off-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Lai Jiangshan <jiangshanlai@gmail.com>
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3772b93d
    • Hans de Goede's avatar
      iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint · 412c17e2
      Hans de Goede authored
      commit 81ee85d0 upstream.
      
      Quoting from the comment describing the WARN functions in
      include/asm-generic/bug.h:
      
       * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report
       * significant kernel issues that need prompt attention if they should ever
       * appear at runtime.
       *
       * Do not use these macros when checking for invalid external inputs
      
      The (buggy) firmware tables which the dmar code was calling WARN_TAINT
      for really are invalid external inputs. They are not under the kernel's
      control and the issues in them cannot be fixed by a kernel update.
      So logging a backtrace, which invites bug reports to be filed about this,
      is not helpful.
      
      Fixes: 556ab45f ("ioat2: catch and recover from broken vtd configurations v6")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Acked-by: default avatarLu Baolu <baolu.lu@linux.intel.com>
      Link: https://lore.kernel.org/r/20200309182510.373875-1-hdegoede@redhat.com
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=701847Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      412c17e2
    • Halil Pasic's avatar
      virtio-blk: fix hw_queue stopped on arbitrary error · 64007a74
      Halil Pasic authored
      commit f5f6b95c upstream.
      
      Since nobody else is going to restart our hw_queue for us, the
      blk_mq_start_stopped_hw_queues() is in virtblk_done() is not sufficient
      necessarily sufficient to ensure that the queue will get started again.
      In case of global resource outage (-ENOMEM because mapping failure,
      because of swiotlb full) our virtqueue may be empty and we can get
      stuck with a stopped hw_queue.
      
      Let us not stop the queue on arbitrary errors, but only on -EONSPC which
      indicates a full virtqueue, where the hw_queue is guaranteed to get
      started by virtblk_done() before when it makes sense to carry on
      submitting requests. Let us also remove a stale comment.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Cc: Jens Axboe <axboe@kernel.dk>
      Fixes: f7728002 ("virtio_ring: fix return code on DMA mapping fails")
      Link: https://lore.kernel.org/r/20200213123728.61216-2-pasic@linux.ibm.comSigned-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64007a74
    • Heiner Kallweit's avatar
      net: phy: fix MDIO bus PM PHY resuming · e9ed467f
      Heiner Kallweit authored
      [ Upstream commit 611d779a ]
      
      So far we have the unfortunate situation that mdio_bus_phy_may_suspend()
      is called in suspend AND resume path, assuming that function result is
      the same. After the original change this is no longer the case,
      resulting in broken resume as reported by Geert.
      
      To fix this call mdio_bus_phy_may_suspend() in the suspend path only,
      and let the phy_device store the info whether it was suspended by
      MDIO bus PM.
      
      Fixes: 503ba7c6 ("net: phy: Avoid multiple suspends")
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Tested-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e9ed467f
    • Shakeel Butt's avatar
      cgroup: memcg: net: do not associate sock with unrelated cgroup · 529f4b7a
      Shakeel Butt authored
      [ Upstream commit e876ecc6 ]
      
      We are testing network memory accounting in our setup and noticed
      inconsistent network memory usage and often unrelated cgroups network
      usage correlates with testing workload. On further inspection, it
      seems like mem_cgroup_sk_alloc() and cgroup_sk_alloc() are broken in
      irq context specially for cgroup v1.
      
      mem_cgroup_sk_alloc() and cgroup_sk_alloc() can be called in irq context
      and kind of assumes that this can only happen from sk_clone_lock()
      and the source sock object has already associated cgroup. However in
      cgroup v1, where network memory accounting is opt-in, the source sock
      can be unassociated with any cgroup and the new cloned sock can get
      associated with unrelated interrupted cgroup.
      
      Cgroup v2 can also suffer if the source sock object was created by
      process in the root cgroup or if sk_alloc() is called in irq context.
      The fix is to just do nothing in interrupt.
      
      WARNING: Please note that about half of the TCP sockets are allocated
      from the IRQ context, so, memory used by such sockets will not be
      accouted by the memcg.
      
      The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
      
      CPU: 70 PID: 12720 Comm: ssh Tainted:  5.6.0-smp-DEV #1
      Hardware name: ...
      Call Trace:
       <IRQ>
       dump_stack+0x57/0x75
       mem_cgroup_sk_alloc+0xe9/0xf0
       sk_clone_lock+0x2a7/0x420
       inet_csk_clone_lock+0x1b/0x110
       tcp_create_openreq_child+0x23/0x3b0
       tcp_v6_syn_recv_sock+0x88/0x730
       tcp_check_req+0x429/0x560
       tcp_v6_rcv+0x72d/0xa40
       ip6_protocol_deliver_rcu+0xc9/0x400
       ip6_input+0x44/0xd0
       ? ip6_protocol_deliver_rcu+0x400/0x400
       ip6_rcv_finish+0x71/0x80
       ipv6_rcv+0x5b/0xe0
       ? ip6_sublist_rcv+0x2e0/0x2e0
       process_backlog+0x108/0x1e0
       net_rx_action+0x26b/0x460
       __do_softirq+0x104/0x2a6
       do_softirq_own_stack+0x2a/0x40
       </IRQ>
       do_softirq.part.19+0x40/0x50
       __local_bh_enable_ip+0x51/0x60
       ip6_finish_output2+0x23d/0x520
       ? ip6table_mangle_hook+0x55/0x160
       __ip6_finish_output+0xa1/0x100
       ip6_finish_output+0x30/0xd0
       ip6_output+0x73/0x120
       ? __ip6_finish_output+0x100/0x100
       ip6_xmit+0x2e3/0x600
       ? ipv6_anycast_cleanup+0x50/0x50
       ? inet6_csk_route_socket+0x136/0x1e0
       ? skb_free_head+0x1e/0x30
       inet6_csk_xmit+0x95/0xf0
       __tcp_transmit_skb+0x5b4/0xb20
       __tcp_send_ack.part.60+0xa3/0x110
       tcp_send_ack+0x1d/0x20
       tcp_rcv_state_process+0xe64/0xe80
       ? tcp_v6_connect+0x5d1/0x5f0
       tcp_v6_do_rcv+0x1b1/0x3f0
       ? tcp_v6_do_rcv+0x1b1/0x3f0
       __release_sock+0x7f/0xd0
       release_sock+0x30/0xa0
       __inet_stream_connect+0x1c3/0x3b0
       ? prepare_to_wait+0xb0/0xb0
       inet_stream_connect+0x3b/0x60
       __sys_connect+0x101/0x120
       ? __sys_getsockopt+0x11b/0x140
       __x64_sys_connect+0x1a/0x20
       do_syscall_64+0x51/0x200
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      The stack trace of mem_cgroup_sk_alloc() from IRQ-context:
      Fixes: 2d758073 ("mm: memcontrol: consolidate cgroup socket tracking")
      Fixes: d979a39d ("cgroup: duplicate cgroup reference when cloning sockets")
      Signed-off-by: default avatarShakeel Butt <shakeelb@google.com>
      Reviewed-by: default avatarRoman Gushchin <guro@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      529f4b7a
    • Eric Dumazet's avatar
      bonding/alb: make sure arp header is pulled before accessing it · 9fc9ba07
      Eric Dumazet authored
      commit b7469e83 upstream.
      
      Similar to commit 38f88c45 ("bonding/alb: properly access headers
      in bond_alb_xmit()"), we need to make sure arp header was pulled
      in skb->head before blindly accessing it in rlb_arp_xmit().
      
      Remove arp_pkt() private helper, since it is more readable/obvious
      to have the following construct back to back :
      
      	if (!pskb_network_may_pull(skb, sizeof(*arp)))
      		return NULL;
      	arp = (struct arp_pkt *)skb_network_header(skb);
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
      BUG: KMSAN: uninit-value in rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
      BUG: KMSAN: uninit-value in bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
      CPU: 0 PID: 12743 Comm: syz-executor.4 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       bond_slave_has_mac_rx include/net/bonding.h:704 [inline]
       rlb_arp_xmit drivers/net/bonding/bond_alb.c:662 [inline]
       bond_alb_xmit+0x575/0x25e0 drivers/net/bonding/bond_alb.c:1477
       __bond_start_xmit drivers/net/bonding/bond_main.c:4257 [inline]
       bond_start_xmit+0x85d/0x2f70 drivers/net/bonding/bond_main.c:4282
       __netdev_start_xmit include/linux/netdevice.h:4524 [inline]
       netdev_start_xmit include/linux/netdevice.h:4538 [inline]
       xmit_one net/core/dev.c:3470 [inline]
       dev_hard_start_xmit+0x531/0xab0 net/core/dev.c:3486
       __dev_queue_xmit+0x37de/0x4220 net/core/dev.c:4063
       dev_queue_xmit+0x4b/0x60 net/core/dev.c:4096
       packet_snd net/packet/af_packet.c:2967 [inline]
       packet_sendmsg+0x8347/0x93b0 net/packet/af_packet.c:2992
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       __sys_sendto+0xc1b/0xc50 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2006
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x45c479
      Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fc77ffbbc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      RAX: ffffffffffffffda RBX: 00007fc77ffbc6d4 RCX: 000000000045c479
      RDX: 000000000000000e RSI: 00000000200004c0 RDI: 0000000000000003
      RBP: 000000000076bf20 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 0000000000000a04 R14: 00000000004cc7b0 R15: 000000000076bf2c
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       alloc_skb_with_frags+0x18c/0xa70 net/core/skbuff.c:5766
       sock_alloc_send_pskb+0xada/0xc60 net/core/sock.c:2242
       packet_alloc_skb net/packet/af_packet.c:2815 [inline]
       packet_snd net/packet/af_packet.c:2910 [inline]
       packet_sendmsg+0x66a0/0x93b0 net/packet/af_packet.c:2992
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg net/socket.c:672 [inline]
       __sys_sendto+0xc1b/0xc50 net/socket.c:1998
       __do_sys_sendto net/socket.c:2010 [inline]
       __se_sys_sendto+0x107/0x130 net/socket.c:2006
       __x64_sys_sendto+0x6e/0x90 net/socket.c:2006
       do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Cc: Andy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9fc9ba07
    • Eric Dumazet's avatar
      slip: make slhc_compress() more robust against malicious packets · 7a7c8ba5
      Eric Dumazet authored
      [ Upstream commit 110a40df ]
      
      Before accessing various fields in IPV4 network header
      and TCP header, make sure the packet :
      
      - Has IP version 4 (ip->version == 4)
      - Has not a silly network length (ip->ihl >= 5)
      - Is big enough to hold network and transport headers
      - Has not a silly TCP header size (th->doff >= sizeof(struct tcphdr) / 4)
      
      syzbot reported :
      
      BUG: KMSAN: uninit-value in slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
      CPU: 0 PID: 11728 Comm: syz-executor231 Not tainted 5.6.0-rc2-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       slhc_compress+0x5b9/0x2e60 drivers/net/slip/slhc.c:270
       ppp_send_frame drivers/net/ppp/ppp_generic.c:1637 [inline]
       __ppp_xmit_process+0x1902/0x2970 drivers/net/ppp/ppp_generic.c:1495
       ppp_xmit_process+0x147/0x2f0 drivers/net/ppp/ppp_generic.c:1516
       ppp_write+0x6bb/0x790 drivers/net/ppp/ppp_generic.c:512
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f7cd99
      Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
      RSP: 002b:00000000ffdb84ac EFLAGS: 00000217 ORIG_RAX: 000000000000014e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000200001c0
      RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000003
      RBP: 0000000040047459 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
       kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
       kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
       slab_alloc_node mm/slub.c:2793 [inline]
       __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4401
       __kmalloc_reserve net/core/skbuff.c:142 [inline]
       __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:210
       alloc_skb include/linux/skbuff.h:1051 [inline]
       ppp_write+0x115/0x790 drivers/net/ppp/ppp_generic.c:500
       do_loop_readv_writev fs/read_write.c:717 [inline]
       do_iter_write+0x812/0xdc0 fs/read_write.c:1000
       compat_writev+0x2df/0x5a0 fs/read_write.c:1351
       do_compat_pwritev64 fs/read_write.c:1400 [inline]
       __do_compat_sys_pwritev fs/read_write.c:1420 [inline]
       __se_compat_sys_pwritev fs/read_write.c:1414 [inline]
       __ia32_compat_sys_pwritev+0x349/0x3f0 fs/read_write.c:1414
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3c7/0x6e0 arch/x86/entry/common.c:410
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      
      Fixes: b5451d78 ("slip: Move the SLIP drivers")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a7c8ba5
    • Jakub Kicinski's avatar
      net: fec: validate the new settings in fec_enet_set_coalesce() · a01b5e50
      Jakub Kicinski authored
      [ Upstream commit ab14961d ]
      
      fec_enet_set_coalesce() validates the previously set params
      and if they are within range proceeds to apply the new ones.
      The new ones, however, are not validated. This seems backwards,
      probably a copy-paste error?
      
      Compile tested only.
      
      Fixes: d851b47b ("net: fec: add interrupt coalescence feature support")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Acked-by: default avatarFugang Duan <fugang.duan@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a01b5e50
    • Mahesh Bandewar's avatar
      macvlan: add cond_resched() during multicast processing · 3bd2095b
      Mahesh Bandewar authored
      [ Upstream commit ce9a4186 ]
      
      The Rx bound multicast packets are deferred to a workqueue and
      macvlan can also suffer from the same attack that was discovered
      by Syzbot for IPvlan. This solution is not as effective as in
      IPvlan. IPvlan defers all (Tx and Rx) multicast packet processing
      to a workqueue while macvlan does this way only for the Rx. This
      fix should address the Rx codition to certain extent.
      
      Tx is still suseptible. Tx multicast processing happens when
      .ndo_start_xmit is called, hence we cannot add cond_resched().
      However, it's not that severe since the user which is generating
       / flooding will be affected the most.
      
      Fixes: 412ca155 ("macvlan: Move broadcasts into a work queue")
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3bd2095b
    • Mahesh Bandewar's avatar
      ipvlan: don't deref eth hdr before checking it's set · 2ad8246c
      Mahesh Bandewar authored
      [ Upstream commit ad819276 ]
      
      IPvlan in L3 mode discards outbound multicast packets but performs
      the check before ensuring the ether-header is set or not. This is
      an error that Eric found through code browsing.
      
      Fixes: 2ad7bf36 (“ipvlan: Initial check-in of the IPVLAN driver.”)
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ad8246c
    • Eric Dumazet's avatar
      ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() · 8621153c
      Eric Dumazet authored
      [ Upstream commit afe207d8 ]
      
      Commit e18b353f ("ipvlan: add cond_resched_rcu() while
      processing muticast backlog") added a cond_resched_rcu() in a loop
      using rcu protection to iterate over slaves.
      
      This is breaking rcu rules, so lets instead use cond_resched()
      at a point we can reschedule
      
      Fixes: e18b353f ("ipvlan: add cond_resched_rcu() while processing muticast backlog")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8621153c
    • Paolo Abeni's avatar
      ipvlan: egress mcast packets are not exceptional · 276a875f
      Paolo Abeni authored
      commit cccc200f upstream.
      
      Currently, if IPv6 is enabled on top of an ipvlan device in l3
      mode, the following warning message:
      
       Dropped {multi|broad}cast of type= [86dd]
      
      is emitted every time that a RS is generated and dmseg is soon
      filled with irrelevant messages. Replace pr_warn with pr_debug,
      to preserve debuggability, without scaring the sysadmin.
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      276a875f
    • Jiri Wiesner's avatar
      ipvlan: do not add hardware address of master to its unicast filter list · 96ce4520
      Jiri Wiesner authored
      [ Upstream commit 63aae7b1 ]
      
      There is a problem when ipvlan slaves are created on a master device that
      is a vmxnet3 device (ipvlan in VMware guests). The vmxnet3 driver does not
      support unicast address filtering. When an ipvlan device is brought up in
      ipvlan_open(), the ipvlan driver calls dev_uc_add() to add the hardware
      address of the vmxnet3 master device to the unicast address list of the
      master device, phy_dev->uc. This inevitably leads to the vmxnet3 master
      device being forced into promiscuous mode by __dev_set_rx_mode().
      
      Promiscuous mode is switched on the master despite the fact that there is
      still only one hardware address that the master device should use for
      filtering in order for the ipvlan device to be able to receive packets.
      The comment above struct net_device describes the uc_promisc member as a
      "counter, that indicates, that promiscuous mode has been enabled due to
      the need to listen to additional unicast addresses in a device that does
      not implement ndo_set_rx_mode()". Moreover, the design of ipvlan
      guarantees that only the hardware address of a master device,
      phy_dev->dev_addr, will be used to transmit and receive all packets from
      its ipvlan slaves. Thus, the unicast address list of the master device
      should not be modified by ipvlan_open() and ipvlan_stop() in order to make
      ipvlan a workable option on masters that do not support unicast address
      filtering.
      
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver")
      Reported-by: default avatarPer Sundstrom <per.sundstrom@redqube.se>
      Signed-off-by: default avatarJiri Wiesner <jwiesner@suse.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96ce4520
    • Mahesh Bandewar's avatar
      ipvlan: add cond_resched_rcu() while processing muticast backlog · 8079db5d
      Mahesh Bandewar authored
      [ Upstream commit e18b353f ]
      
      If there are substantial number of slaves created as simulated by
      Syzbot, the backlog processing could take much longer and result
      into the issue found in the Syzbot report.
      
      INFO: rcu_sched detected stalls on CPUs/tasks:
              (detected by 1, t=10502 jiffies, g=5049, c=5048, q=752)
      All QSes seen, last rcu_sched kthread activity 10502 (4294965563-4294955061), jiffies_till_next_fqs=1, root ->qsmask 0x0
      syz-executor.1  R  running task on cpu   1  10984 11210   3866 0x30020008 179034491270
      Call Trace:
       <IRQ>
       [<ffffffff81497163>] _sched_show_task kernel/sched/core.c:8063 [inline]
       [<ffffffff81497163>] _sched_show_task.cold+0x2fd/0x392 kernel/sched/core.c:8030
       [<ffffffff8146a91b>] sched_show_task+0xb/0x10 kernel/sched/core.c:8073
       [<ffffffff815c931b>] print_other_cpu_stall kernel/rcu/tree.c:1577 [inline]
       [<ffffffff815c931b>] check_cpu_stall kernel/rcu/tree.c:1695 [inline]
       [<ffffffff815c931b>] __rcu_pending kernel/rcu/tree.c:3478 [inline]
       [<ffffffff815c931b>] rcu_pending kernel/rcu/tree.c:3540 [inline]
       [<ffffffff815c931b>] rcu_check_callbacks.cold+0xbb4/0xc29 kernel/rcu/tree.c:2876
       [<ffffffff815e3962>] update_process_times+0x32/0x80 kernel/time/timer.c:1635
       [<ffffffff816164f0>] tick_sched_handle+0xa0/0x180 kernel/time/tick-sched.c:161
       [<ffffffff81616ae4>] tick_sched_timer+0x44/0x130 kernel/time/tick-sched.c:1193
       [<ffffffff815e75f7>] __run_hrtimer kernel/time/hrtimer.c:1393 [inline]
       [<ffffffff815e75f7>] __hrtimer_run_queues+0x307/0xd90 kernel/time/hrtimer.c:1455
       [<ffffffff815e90ea>] hrtimer_interrupt+0x2ea/0x730 kernel/time/hrtimer.c:1513
       [<ffffffff844050f4>] local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1031 [inline]
       [<ffffffff844050f4>] smp_apic_timer_interrupt+0x144/0x5e0 arch/x86/kernel/apic/apic.c:1056
       [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
      RIP: 0010:do_raw_read_lock+0x22/0x80 kernel/locking/spinlock_debug.c:153
      RSP: 0018:ffff8801dad07ab8 EFLAGS: 00000a02 ORIG_RAX: ffffffffffffff12
      RAX: 0000000000000000 RBX: ffff8801c4135680 RCX: 0000000000000000
      RDX: 1ffff10038826afe RSI: ffff88019d816bb8 RDI: ffff8801c41357f0
      RBP: ffff8801dad07ac0 R08: 0000000000004b15 R09: 0000000000310273
      R10: ffff88019d816bb8 R11: 0000000000000001 R12: ffff8801c41357e8
      R13: 0000000000000000 R14: ffff8801cfb19850 R15: ffff8801cfb198b0
       [<ffffffff8101460e>] __raw_read_lock_bh include/linux/rwlock_api_smp.h:177 [inline]
       [<ffffffff8101460e>] _raw_read_lock_bh+0x3e/0x50 kernel/locking/spinlock.c:240
       [<ffffffff840d78ca>] ipv6_chk_mcast_addr+0x11a/0x6f0 net/ipv6/mcast.c:1006
       [<ffffffff84023439>] ip6_mc_input+0x319/0x8e0 net/ipv6/ip6_input.c:482
       [<ffffffff840211c8>] dst_input include/net/dst.h:449 [inline]
       [<ffffffff840211c8>] ip6_rcv_finish+0x408/0x610 net/ipv6/ip6_input.c:78
       [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:292 [inline]
       [<ffffffff840214de>] NF_HOOK include/linux/netfilter.h:286 [inline]
       [<ffffffff840214de>] ipv6_rcv+0x10e/0x420 net/ipv6/ip6_input.c:278
       [<ffffffff83a29efa>] __netif_receive_skb_one_core+0x12a/0x1f0 net/core/dev.c:5303
       [<ffffffff83a2a15c>] __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:5417
       [<ffffffff83a2f536>] process_backlog+0x216/0x6c0 net/core/dev.c:6243
       [<ffffffff83a30d1b>] napi_poll net/core/dev.c:6680 [inline]
       [<ffffffff83a30d1b>] net_rx_action+0x47b/0xfb0 net/core/dev.c:6748
       [<ffffffff846002c8>] __do_softirq+0x2c8/0x99a kernel/softirq.c:317
       [<ffffffff813e656a>] invoke_softirq kernel/softirq.c:399 [inline]
       [<ffffffff813e656a>] irq_exit+0x16a/0x1a0 kernel/softirq.c:439
       [<ffffffff84405115>] exiting_irq arch/x86/include/asm/apic.h:561 [inline]
       [<ffffffff84405115>] smp_apic_timer_interrupt+0x165/0x5e0 arch/x86/kernel/apic/apic.c:1058
       [<ffffffff84401cbe>] apic_timer_interrupt+0x8e/0xa0 arch/x86/entry/entry_64.S:778
       </IRQ>
      RIP: 0010:__sanitizer_cov_trace_pc+0x26/0x50 kernel/kcov.c:102
      RSP: 0018:ffff880196033bd8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff12
      RAX: ffff88019d8161c0 RBX: 00000000ffffffff RCX: ffffc90003501000
      RDX: 0000000000000002 RSI: ffffffff816236d1 RDI: 0000000000000005
      RBP: ffff880196033bd8 R08: ffff88019d8161c0 R09: 0000000000000000
      R10: 1ffff10032c067f0 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000080 R14: 0000000000000000 R15: 0000000000000000
       [<ffffffff816236d1>] do_futex+0x151/0x1d50 kernel/futex.c:3548
       [<ffffffff816260f0>] C_SYSC_futex kernel/futex_compat.c:201 [inline]
       [<ffffffff816260f0>] compat_SyS_futex+0x270/0x3b0 kernel/futex_compat.c:175
       [<ffffffff8101da17>] do_syscall_32_irqs_on arch/x86/entry/common.c:353 [inline]
       [<ffffffff8101da17>] do_fast_syscall_32+0x357/0xe1c arch/x86/entry/common.c:415
       [<ffffffff84401a9b>] entry_SYSENTER_compat+0x8b/0x9d arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f23c69
      RSP: 002b:00000000f5d1f12c EFLAGS: 00000282 ORIG_RAX: 00000000000000f0
      RAX: ffffffffffffffda RBX: 000000000816af88 RCX: 0000000000000080
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000816af8c
      RBP: 00000000f5d1f228 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      rcu_sched kthread starved for 10502 jiffies! g5049 c5048 f0x2 RCU_GP_WAIT_FQS(3) ->state=0x0 ->cpu=1
      rcu_sched       R  running task on cpu   1  13048     8      2 0x90000000 179099587640
      Call Trace:
       [<ffffffff8147321f>] context_switch+0x60f/0xa60 kernel/sched/core.c:3209
       [<ffffffff8100095a>] __schedule+0x5aa/0x1da0 kernel/sched/core.c:3934
       [<ffffffff810021df>] schedule+0x8f/0x1b0 kernel/sched/core.c:4011
       [<ffffffff8101116d>] schedule_timeout+0x50d/0xee0 kernel/time/timer.c:1803
       [<ffffffff815c13f1>] rcu_gp_kthread+0xda1/0x3b50 kernel/rcu/tree.c:2327
       [<ffffffff8144b318>] kthread+0x348/0x420 kernel/kthread.c:246
       [<ffffffff84400266>] ret_from_fork+0x56/0x70 arch/x86/entry/entry_64.S:393
      
      Fixes: ba35f858 (“ipvlan: Defer multicast / broadcast processing to a work-queue”)
      Signed-off-by: default avatarMahesh Bandewar <maheshb@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8079db5d
    • Jakub Kicinski's avatar
      nfc: add missing attribute validation for vendor subcommand · 65ff45df
      Jakub Kicinski authored
      [ Upstream commit 6ba3da44 ]
      
      Add missing attribute validation for vendor subcommand attributes
      to the netlink policy.
      
      Fixes: 9e58095f ("NFC: netlink: Implement vendor command support")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65ff45df
    • Jakub Kicinski's avatar
      nfc: add missing attribute validation for SE API · 0ba5c3dd
      Jakub Kicinski authored
      [ Upstream commit 361d23e4 ]
      
      Add missing attribute validation for NFC_ATTR_SE_INDEX
      to the netlink policy.
      
      Fixes: 5ce3f32b ("NFC: netlink: SE API implementation")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ba5c3dd
    • Jakub Kicinski's avatar
      team: add missing attribute validation for array index · 26623ec1
      Jakub Kicinski authored
      [ Upstream commit 669fcd77 ]
      
      Add missing attribute validation for TEAM_ATTR_OPTION_ARRAY_INDEX
      to the netlink policy.
      
      Fixes: b1303326 ("team: introduce array options")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26623ec1
    • Jakub Kicinski's avatar
      team: add missing attribute validation for port ifindex · c8571e0c
      Jakub Kicinski authored
      [ Upstream commit dd25cb27 ]
      
      Add missing attribute validation for TEAM_ATTR_OPTION_PORT_IFINDEX
      to the netlink policy.
      
      Fixes: 80f7c668 ("team: add support for per-port options")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c8571e0c
    • Jakub Kicinski's avatar
      net: fq: add missing attribute validation for orphan mask · 65c9a7a2
      Jakub Kicinski authored
      [ Upstream commit 7e6dc03e ]
      
      Add missing attribute validation for TCA_FQ_ORPHAN_MASK
      to the netlink policy.
      
      Fixes: 06eb395f ("pkt_sched: fq: better control of DDOS traffic")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      65c9a7a2
    • Jakub Kicinski's avatar
      macsec: add missing attribute validation for port · 1abae2c5
      Jakub Kicinski authored
      [ Upstream commit 31d9a1c5 ]
      
      Add missing attribute validation for IFLA_MACSEC_PORT
      to the netlink policy.
      
      Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1abae2c5
    • Jakub Kicinski's avatar
      nl802154: add missing attribute validation for dev_type · 76de44ee
      Jakub Kicinski authored
      [ Upstream commit b60673c4 ]
      
      Add missing attribute type validation for IEEE802154_ATTR_DEV_TYPE
      to the netlink policy.
      
      Fixes: 90c049b2 ("ieee802154: interface type to be added")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Acked-by: default avatarStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76de44ee
    • Jakub Kicinski's avatar
      nl802154: add missing attribute validation · 5869a748
      Jakub Kicinski authored
      [ Upstream commit 9322cd7c ]
      
      Add missing attribute validation for several u8 types.
      
      Fixes: 2c21d115 ("net: add NL802154 interface for configuration of 802.15.4 devices")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Acked-by: default avatarStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5869a748
    • Jakub Kicinski's avatar
      fib: add missing attribute validation for tun_id · 0b21c9cb
      Jakub Kicinski authored
      [ Upstream commit 4c16d64e ]
      
      Add missing netlink policy entry for FRA_TUN_ID.
      
      Fixes: e7030878 ("fib: Add fib rule match on tunnel id")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0b21c9cb
    • Vasundhara Volam's avatar
      bnxt_en: reinitialize IRQs when MTU is modified · 285112d5
      Vasundhara Volam authored
      [ Upstream commit a9b952d2 ]
      
      MTU changes may affect the number of IRQs so we must call
      bnxt_close_nic()/bnxt_open_nic() with the irq_re_init parameter
      set to true.  The reason is that a larger MTU may require
      aggregation rings not needed with smaller MTU.  We may not be
      able to allocate the required number of aggregation rings and
      so we reduce the number of channels which will change the number
      of IRQs.  Without this patch, it may crash eventually in
      pci_disable_msix() when the IRQs are not properly unwound.
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Signed-off-by: default avatarVasundhara Volam <vasundhara-v.volam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      285112d5
    • You-Sheng Yang's avatar
      r8152: check disconnect status after long sleep · f120a400
      You-Sheng Yang authored
      [ Upstream commit d64c7a08 ]
      
      Dell USB Type C docking WD19/WD19DC attaches additional peripherals as:
      
        /: Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M
            |__ Port 1: Dev 11, If 0, Class=Hub, Driver=hub/4p, 5000M
                |__ Port 3: Dev 12, If 0, Class=Hub, Driver=hub/4p, 5000M
                |__ Port 4: Dev 13, If 0, Class=Vendor Specific Class,
                    Driver=r8152, 5000M
      
      where usb 2-1-3 is a hub connecting all USB Type-A/C ports on the dock.
      
      When hotplugging such dock with additional usb devices already attached on
      it, the probing process may reset usb 2.1 port, therefore r8152 ethernet
      device is also reset. However, during r8152 device init there are several
      for-loops that, when it's unable to retrieve hardware registers due to
      being disconnected from USB, may take up to 14 seconds each in practice,
      and that has to be completed before USB may re-enumerate devices on the
      bus. As a result, devices attached to the dock will only be available
      after nearly 1 minute after the dock was plugged in:
      
        [ 216.388290] [250] r8152 2-1.4:1.0: usb_probe_interface
        [ 216.388292] [250] r8152 2-1.4:1.0: usb_probe_interface - got id
        [ 258.830410] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): PHY not ready
        [ 258.830460] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Invalid header when reading pass-thru MAC addr
        [ 258.830464] r8152 2-1.4:1.0 (unnamed net_device) (uninitialized): Get ether addr fail
      
      This happens in, for example, r8153_init:
      
        static int generic_ocp_read(struct r8152 *tp, u16 index, u16 size,
      			    void *data, u16 type)
        {
          if (test_bit(RTL8152_UNPLUG, &tp->flags))
            return -ENODEV;
          ...
        }
      
        static u16 ocp_read_word(struct r8152 *tp, u16 type, u16 index)
        {
          u32 data;
          ...
          generic_ocp_read(tp, index, sizeof(tmp), &tmp, type | byen);
      
          data = __le32_to_cpu(tmp);
          ...
          return (u16)data;
        }
      
        static void r8153_init(struct r8152 *tp)
        {
          ...
          if (test_bit(RTL8152_UNPLUG, &tp->flags))
            return;
      
          for (i = 0; i < 500; i++) {
            if (ocp_read_word(tp, MCU_TYPE_PLA, PLA_BOOT_CTRL) &
                AUTOLOAD_DONE)
              break;
            msleep(20);
          }
          ...
        }
      
      Since ocp_read_word() doesn't check the return status of
      generic_ocp_read(), and the only exit condition for the loop is to have
      a match in the returned value, such loops will only ends after exceeding
      its maximum runs when the device has been marked as disconnected, which
      takes 500 * 20ms = 10 seconds in theory, 14 in practice.
      
      To solve this long latency another test to RTL8152_UNPLUG flag should be
      added after those 20ms sleep to skip unnecessary loops, so that the device
      probe can complete early and proceed to parent port reset/reprobe process.
      
      This can be reproduced on all kernel versions up to latest v5.6-rc2, but
      after v5.5-rc7 the reproduce rate is dramatically lowered to 1/30 or less
      while it was around 1/2.
      Signed-off-by: default avatarYou-Sheng Yang <vicamo.yang@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f120a400
    • Dan Carpenter's avatar
      net: nfc: fix bounds checking bugs on "pipe" · e5660ee1
      Dan Carpenter authored
      [ Upstream commit a3aefbfe ]
      
      This is similar to commit 674d9de0 ("NFC: Fix possible memory
      corruption when handling SHDLC I-Frame commands") and commit d7ee81ad
      ("NFC: nci: Add some bounds checking in nci_hci_cmd_received()") which
      added range checks on "pipe".
      
      The "pipe" variable comes skb->data[0] in nfc_hci_msg_rx_work().
      It's in the 0-255 range.  We're using it as the array index into the
      hdev->pipes[] array which has NFC_HCI_MAX_PIPES (128) members.
      
      Fixes: 118278f2 ("NFC: hci: Add pipes table to reference them with a tuple {gate, host}")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5660ee1