1. 12 Nov, 2019 40 commits
    • Konstantin Khlebnikov's avatar
      mm/filemap.c: don't initiate writeback if mapping has no dirty pages · d3b3c0a1
      Konstantin Khlebnikov authored
      commit c3aab9a0 upstream.
      
      Functions like filemap_write_and_wait_range() should do nothing if inode
      has no dirty pages or pages currently under writeback.  But they anyway
      construct struct writeback_control and this does some atomic operations if
      CONFIG_CGROUP_WRITEBACK=y - on fast path it locks inode->i_lock and
      updates state of writeback ownership, on slow path might be more work.
      Current this path is safely avoided only when inode mapping has no pages.
      
      For example generic_file_read_iter() calls filemap_write_and_wait_range()
      at each O_DIRECT read - pretty hot path.
      
      This patch skips starting new writeback if mapping has no dirty tags set.
      If writeback is already in progress filemap_write_and_wait_range() will
      wait for it.
      
      Link: http://lkml.kernel.org/r/156378816804.1087.8607636317907921438.stgit@buzzSigned-off-by: default avatarKonstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Cc: Tejun Heo <tj@kernel.org>
      Cc: Jens Axboe <axboe@kernel.dk>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d3b3c0a1
    • Jean-Baptiste Maneyrol's avatar
      iio: imu: inv_mpu6050: fix no data on MPU6050 · 285eb6af
      Jean-Baptiste Maneyrol authored
      [ Upstream commit 6e82ae6b ]
      
      Some chips have a fifo overflow bit issue where the bit is always
      set. The result is that every data is dropped.
      
      Change fifo overflow management by checking fifo count against
      a maximum value.
      
      Add fifo size in chip hardware set of values.
      
      Fixes: f5057e7b ("iio: imu: inv_mpu6050: better fifo overflow handling")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJean-Baptiste Maneyrol <jmaneyrol@invensense.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      285eb6af
    • Randolph Maaßen's avatar
      iio: imu: mpu6050: Add support for the ICM 20602 IMU · d888a807
      Randolph Maaßen authored
      [ Upstream commit 22904bdf ]
      
      The Invensense ICM-20602 is a 6-axis MotionTracking device that
      combines a 3-axis gyroscope and an 3-axis accelerometer. It is very
      similar to the ICM-20608 imu which is already supported by the mpu6050
      driver. The main difference is that the ICM-20602 has the i2c bus
      disable bit in a separate register.
      Signed-off-by: default avatarRandolph Maaßen <gaireg@gaireg.de>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d888a807
    • Tejun Heo's avatar
      blkcg: make blkcg_print_stat() print stats only for online blkgs · 52212812
      Tejun Heo authored
      [ Upstream commit b0814361 ]
      
      blkcg_print_stat() iterates blkgs under RCU and doesn't test whether
      the blkg is online.  This can call into pd_stat_fn() on a pd which is
      still being initialized leading to an oops.
      
      The heaviest operation - recursively summing up rwstat counters - is
      already done while holding the queue_lock.  Expand queue_lock to cover
      the other operations and skip the blkg if it isn't online yet.  The
      online state is protected by both blkcg and queue locks, so this
      guarantees that only online blkgs are processed.
      Signed-off-by: default avatarTejun Heo <tj@kernel.org>
      Reported-by: default avatarRoman Gushchin <guro@fb.com>
      Cc: Josef Bacik <jbacik@fb.com>
      Fixes: 903d23f0 ("blk-cgroup: allow controllers to output their own stats")
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      52212812
    • Hans de Goede's avatar
      pinctrl: cherryview: Fix irq_valid_mask calculation · 30b96939
      Hans de Goede authored
      [ Upstream commit 63bdef6c ]
      
      Commit 03c4749d ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux
      GPIO translation") has made the cherryview gpio numbers sparse, to get
      a 1:1 mapping between ACPI pin numbers and gpio numbers in Linux.
      
      This has greatly simplified things, but the code setting the
      irq_valid_mask was not updated for this, so the valid mask is still in
      the old "compressed" numbering with the gaps in the pin numbers skipped,
      which is wrong as irq_valid_mask needs to be expressed in gpio numbers.
      
      This results in the following error on devices using pin 24 (0x0018) on
      the north GPIO controller as an ACPI event source:
      
      [    0.422452] cherryview-pinctrl INT33FF:01: Failed to translate GPIO to IRQ
      
      This has been reported (by email) to be happening on a Caterpillar CAT T20
      tablet and I've reproduced this myself on a Medion Akoya e2215t 2-in-1.
      
      This commit uses the pin number instead of the compressed index into
      community->pins to clear the correct bits in irq_valid_mask for GPIOs
      using GPEs for interrupts, fixing these errors and in case of the
      Medion Akoya e2215t also fixing the LID switch not working.
      
      Cc: stable@vger.kernel.org
      Fixes: 03c4749d ("gpio / ACPI: Drop unnecessary ACPI GPIO to Linux GPIO translation")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      30b96939
    • Shuning Zhang's avatar
      ocfs2: protect extent tree in ocfs2_prepare_inode_for_write() · ca79bb7e
      Shuning Zhang authored
      [ Upstream commit e74540b2 ]
      
      When the extent tree is modified, it should be protected by inode
      cluster lock and ip_alloc_sem.
      
      The extent tree is accessed and modified in the
      ocfs2_prepare_inode_for_write, but isn't protected by ip_alloc_sem.
      
      The following is a case.  The function ocfs2_fiemap is accessing the
      extent tree, which is modified at the same time.
      
        kernel BUG at fs/ocfs2/extent_map.c:475!
        invalid opcode: 0000 [#1] SMP
        Modules linked in: tun ocfs2 ocfs2_nodemanager configfs ocfs2_stackglue [...]
        CPU: 16 PID: 14047 Comm: o2info Not tainted 4.1.12-124.23.1.el6uek.x86_64 #2
        Hardware name: Oracle Corporation ORACLE SERVER X7-2L/ASM, MB MECH, X7-2L, BIOS 42040600 10/19/2018
        task: ffff88019487e200 ti: ffff88003daa4000 task.ti: ffff88003daa4000
        RIP: ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2]
        Call Trace:
          ocfs2_fiemap+0x1e3/0x430 [ocfs2]
          do_vfs_ioctl+0x155/0x510
          SyS_ioctl+0x81/0xa0
          system_call_fastpath+0x18/0xd8
        Code: 18 48 c7 c6 60 7f 65 a0 31 c0 bb e2 ff ff ff 48 8b 4a 40 48 8b 7a 28 48 c7 c2 78 2d 66 a0 e8 38 4f 05 00 e9 28 fe ff ff 0f 1f 00 <0f> 0b 66 0f 1f 44 00 00 bb 86 ff ff ff e9 13 fe ff ff 66 0f 1f
        RIP  ocfs2_get_clusters_nocache.isra.11+0x390/0x550 [ocfs2]
        ---[ end trace c8aa0c8180e869dc ]---
        Kernel panic - not syncing: Fatal exception
        Kernel Offset: disabled
      
      This issue can be reproduced every week in a production environment.
      
      This issue is related to the usage mode.  If others use ocfs2 in this
      mode, the kernel will panic frequently.
      
      [akpm@linux-foundation.org: coding style fixes]
      [Fix new warning due to unused function by removing said function - Linus ]
      Link: http://lkml.kernel.org/r/1568772175-2906-2-git-send-email-sunny.s.zhang@oracle.comSigned-off-by: default avatarShuning Zhang <sunny.s.zhang@oracle.com>
      Reviewed-by: default avatarJunxiao Bi <junxiao.bi@oracle.com>
      Reviewed-by: default avatarGang He <ghe@suse.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Joseph Qi <jiangqi903@gmail.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ca79bb7e
    • Andy Shevchenko's avatar
      pinctrl: intel: Avoid potential glitches if pin is in GPIO mode · 2c655a11
      Andy Shevchenko authored
      [ Upstream commit 29c2c6aa ]
      
      When consumer requests a pin, in order to be on the safest side,
      we switch it first to GPIO mode followed by immediate transition
      to the input state. Due to posted writes it's luckily to be a single
      I/O transaction.
      
      However, if firmware or boot loader already configures the pin
      to the GPIO mode, user expects no glitches for the requested pin.
      We may check if the pin is pre-configured and leave it as is
      till the actual consumer toggles its state to avoid glitches.
      
      Fixes: 7981c001 ("pinctrl: intel: Add Intel Sunrisepoint pin controller and GPIO support")
      Depends-on: f5a26acf ("pinctrl: intel: Initialize GPIO properly when used through irqchip")
      Cc: stable@vger.kernel.org
      Cc: fei.yang@intel.com
      Reported-by: default avatarOliver Barta <oliver.barta@aptiv.com>
      Reported-by: default avatarMalin Jonsson <malin.jonsson@ericsson.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2c655a11
    • Wenwen Wang's avatar
      e1000: fix memory leaks · 713adf6d
      Wenwen Wang authored
      [ Upstream commit 8472ba62 ]
      
      In e1000_set_ringparam(), 'tx_old' and 'rx_old' are not deallocated if
      e1000_up() fails, leading to memory leaks. Refactor the code to fix this
      issue.
      Signed-off-by: default avatarWenwen Wang <wenwen@cs.uga.edu>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      713adf6d
    • Manfred Rudigier's avatar
      igb: Fix constant media auto sense switching when no cable is connected · 4a055717
      Manfred Rudigier authored
      [ Upstream commit 8d5cfd7f ]
      
      At least on the i350 there is an annoying behavior that is maybe also
      present on 82580 devices, but was probably not noticed yet as MAS is not
      widely used.
      
      If no cable is connected on both fiber/copper ports the media auto sense
      code will constantly swap between them as part of the watchdog task and
      produce many unnecessary kernel log messages.
      
      The swap code responsible for this behavior (switching to fiber) should
      not be executed if the current media type is copper and there is no signal
      detected on the fiber port. In this case we can safely wait until the
      AUTOSENSE_EN bit is cleared.
      Signed-off-by: default avatarManfred Rudigier <manfred.rudigier@omicronenergy.com>
      Tested-by: default avatarAaron Brown <aaron.f.brown@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4a055717
    • Chuhong Yuan's avatar
      net: ethernet: arc: add the missed clk_disable_unprepare · 1baab835
      Chuhong Yuan authored
      [ Upstream commit 4202e219 ]
      
      The remove misses to disable and unprepare priv->macclk like what is done
      when probe fails.
      Add the missed call in remove.
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1baab835
    • Trond Myklebust's avatar
      NFSv4: Don't allow a cached open with a revoked delegation · 24523745
      Trond Myklebust authored
      [ Upstream commit be3df3dd ]
      
      If the delegation is marked as being revoked, we must not use it
      for cached opens.
      
      Fixes: 869f9dfa ("NFSv4: Fix races between nfs_remove_bad_delegation() and delegation return")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      24523745
    • Felipe Balbi's avatar
      usb: dwc3: gadget: fix race when disabling ep with cancelled xfers · 440a748e
      Felipe Balbi authored
      [ Upstream commit d8eca64e ]
      
      When disabling an endpoint which has cancelled requests, we should
      make sure to giveback requests that are currently pending in the
      cancelled list, otherwise we may fall into a situation where command
      completion interrupt fires after endpoint has been disabled, therefore
      causing a splat.
      
      Fixes: fec9095b "usb: dwc3: gadget: remove wait_end_transfer"
      Reported-by: default avatarRoger Quadros <rogerq@ti.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Link: https://lore.kernel.org/r/20191031090713.1452818-1-felipe.balbi@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      440a748e
    • Haiyang Zhang's avatar
      hv_netvsc: Fix error handling in netvsc_attach() · e66f52eb
      Haiyang Zhang authored
      [ Upstream commit 719b85c3 ]
      
      If rndis_filter_open() fails, we need to remove the rndis device created
      in earlier steps, before returning an error code. Otherwise, the retry of
      netvsc_attach() from its callers will fail and hang.
      
      Fixes: 7b2ee50c ("hv_netvsc: common detach logic")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e66f52eb
    • Michael Strauss's avatar
      drm/amd/display: Passive DP->HDMI dongle detection fix · 99d5f18c
      Michael Strauss authored
      [ Upstream commit bc2fde42 ]
      
      [WHY]
      i2c_read is called to differentiate passive DP->HDMI and DP->DVI-D dongles
      The call is expected to fail in DVI-D case but pass in HDMI case
      Some HDMI dongles have a chance to fail as well, causing misdetection as DVI-D
      
      [HOW]
      Retry i2c_read to ensure failed result is valid
      Signed-off-by: default avatarMichael Strauss <michael.strauss@amd.com>
      Reviewed-by: default avatarTony Cheng <Tony.Cheng@amd.com>
      Acked-by: default avatarLeo Li <sunpeng.li@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      99d5f18c
    • Andrey Grodzovsky's avatar
      drm/amdgpu: If amdgpu_ib_schedule fails return back the error. · e5edbf9c
      Andrey Grodzovsky authored
      [ Upstream commit 57c0f58e ]
      
      Use ERR_PTR to return back the error happened during amdgpu_ib_schedule.
      Signed-off-by: default avatarAndrey Grodzovsky <andrey.grodzovsky@amd.com>
      Reviewed-by: default avatarChristian König <christian.koenig@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e5edbf9c
    • Takashi Iwai's avatar
      iommu/amd: Apply the same IVRS IOAPIC workaround to Acer Aspire A315-41 · b651ddc1
      Takashi Iwai authored
      [ Upstream commit ad3e8da2 ]
      
      Acer Aspire A315-41 requires the very same workaround as the existing
      quirk for Dell Latitude 5495.  Add the new entry for that.
      
      BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1137799Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b651ddc1
    • Vladimir Oltean's avatar
      net: mscc: ocelot: refuse to overwrite the port's native vlan · 214e4f0e
      Vladimir Oltean authored
      [ Upstream commit b9cd75e6 ]
      
      The switch driver keeps a "vid" variable per port, which signifies _the_
      VLAN ID that is stripped on that port's egress (aka the native VLAN on a
      trunk port).
      
      That is the way the hardware is designed (mostly). The port->vid is
      programmed into REW:PORT:PORT_VLAN_CFG:PORT_VID and the rewriter is told
      to send all traffic as tagged except the one having port->vid.
      
      There exists a possibility of finer-grained egress untagging decisions:
      using the VCAP IS1 engine, one rule can be added to match every
      VLAN-tagged frame whose VLAN should be untagged, and set POP_CNT=1 as
      action. However, the IS1 can hold at most 512 entries, and the VLANs are
      in the order of 6 * 4096.
      
      So the code is fine for now. But this sequence of commands:
      
      $ bridge vlan add dev swp0 vid 1 pvid untagged
      $ bridge vlan add dev swp0 vid 2 untagged
      
      makes untagged and pvid-tagged traffic be sent out of swp0 as tagged
      with VID 1, despite user's request.
      
      Prevent that from happening. The user should temporarily remove the
      existing untagged VLAN (1 in this case), add it back as tagged, and then
      add the new untagged VLAN (2 in this case).
      
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
      Fixes: 7142529f ("net: mscc: ocelot: add VLAN filtering")
      Signed-off-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      214e4f0e
    • Vladimir Oltean's avatar
      net: mscc: ocelot: fix vlan_filtering when enslaving to bridge before link is up · 5aedcc8a
      Vladimir Oltean authored
      [ Upstream commit 1c44ce56 ]
      
      Background information: the driver operates the hardware in a mode where
      a single VLAN can be transmitted as untagged on a particular egress
      port. That is the "native VLAN on trunk port" use case. Its value is
      held in port->vid.
      
      Consider the following command sequence (no network manager, all
      interfaces are down, debugging prints added by me):
      
      $ ip link add dev br0 type bridge vlan_filtering 1
      $ ip link set dev swp0 master br0
      
      Kernel code path during last command:
      
      br_add_slave -> ocelot_netdevice_port_event (NETDEV_CHANGEUPPER):
      [   21.401901] ocelot_vlan_port_apply: port 0 vlan aware 0 pvid 0 vid 0
      
      br_add_slave -> nbp_vlan_init -> switchdev_port_attr_set -> ocelot_port_attr_set (SWITCHDEV_ATTR_ID_BRIDGE_VLAN_FILTERING):
      [   21.413335] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 0 vid 0
      
      br_add_slave -> nbp_vlan_init -> nbp_vlan_add -> br_switchdev_port_vlan_add -> switchdev_port_obj_add -> ocelot_port_obj_add -> ocelot_vlan_vid_add
      [   21.667421] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 1
      
      So far so good. The bridge has replaced the driver's default pvid used
      in standalone mode (0) with its own default_pvid (1). The port's vid
      (native VLAN) has also changed from 0 to 1.
      
      $ ip link set dev swp0 up
      
      [   31.722956] 8021q: adding VLAN 0 to HW filter on device swp0
      do_setlink -> dev_change_flags -> vlan_vid_add -> ocelot_vlan_rx_add_vid -> ocelot_vlan_vid_add:
      [   31.728700] ocelot_vlan_port_apply: port 0 vlan aware 1 pvid 1 vid 0
      
      The 8021q module uses the .ndo_vlan_rx_add_vid API on .ndo_open to make
      ports be able to transmit and receive 802.1p-tagged traffic by default.
      This API is supposed to offload a VLAN sub-interface, which for a switch
      port means to add a VLAN that is not a pvid, and tagged on egress.
      
      But the driver implementation of .ndo_vlan_rx_add_vid is wrong: it adds
      back vid 0 as "egress untagged". Now back to the initial paragraph:
      there is a single untagged VID that the driver keeps track of, and that
      has just changed from 1 (the pvid) to 0. So this breaks the bridge
      core's expectation, because it has changed vid 1 from untagged to
      tagged, when what the user sees is.
      
      $ bridge vlan
      port    vlan ids
      swp0     1 PVID Egress Untagged
      
      br0      1 PVID Egress Untagged
      
      But curiously, instead of manifesting itself as "untagged and
      pvid-tagged traffic gets sent as tagged on egress", the bug:
      
      - is hidden when vlan_filtering=0
      - manifests as dropped traffic when vlan_filtering=1, due to this setting:
      
      	if (port->vlan_aware && !port->vid)
      		/* If port is vlan-aware and tagged, drop untagged and priority
      		 * tagged frames.
      		 */
      		val |= ANA_PORT_DROP_CFG_DROP_UNTAGGED_ENA |
      		       ANA_PORT_DROP_CFG_DROP_PRIO_S_TAGGED_ENA |
      		       ANA_PORT_DROP_CFG_DROP_PRIO_C_TAGGED_ENA;
      
      which would have made sense if it weren't for this bug. The setting's
      intention was "this is a trunk port with no native VLAN, so don't accept
      untagged traffic". So the driver was never expecting to set VLAN 0 as
      the value of the native VLAN, 0 was just encoding for "invalid".
      
      So the fix is to not send 802.1p traffic as untagged, because that would
      change the port's native vlan to 0, unbeknownst to the bridge, and
      trigger unexpected code paths in the driver.
      
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Cc: Alexandre Belloni <alexandre.belloni@bootlin.com>
      Fixes: 7142529f ("net: mscc: ocelot: add VLAN filtering")
      Signed-off-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarAlexandre Belloni <alexandre.belloni@bootlin.com>
      Reviewed-by: default avatarHoratiu Vultur <horatiu.vultur@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5aedcc8a
    • Jiangfeng Xiao's avatar
      net: hisilicon: Fix "Trying to free already-free IRQ" · 3b956e63
      Jiangfeng Xiao authored
      [ Upstream commit 63a41746 ]
      
      When rmmod hip04_eth.ko, we can get the following warning:
      
      Task track: rmmod(1623)>bash(1591)>login(1581)>init(1)
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 1623 at kernel/irq/manage.c:1557 __free_irq+0xa4/0x2ac()
      Trying to free already-free IRQ 200
      Modules linked in: ping(O) pramdisk(O) cpuinfo(O) rtos_snapshot(O) interrupt_ctrl(O) mtdblock mtd_blkdevrtfs nfs_acl nfs lockd grace sunrpc xt_tcpudp ipt_REJECT iptable_filter ip_tables x_tables nf_reject_ipv
      CPU: 0 PID: 1623 Comm: rmmod Tainted: G           O    4.4.193 #1
      Hardware name: Hisilicon A15
      [<c020b408>] (rtos_unwind_backtrace) from [<c0206624>] (show_stack+0x10/0x14)
      [<c0206624>] (show_stack) from [<c03f2be4>] (dump_stack+0xa0/0xd8)
      [<c03f2be4>] (dump_stack) from [<c021a780>] (warn_slowpath_common+0x84/0xb0)
      [<c021a780>] (warn_slowpath_common) from [<c021a7e8>] (warn_slowpath_fmt+0x3c/0x68)
      [<c021a7e8>] (warn_slowpath_fmt) from [<c026876c>] (__free_irq+0xa4/0x2ac)
      [<c026876c>] (__free_irq) from [<c0268a14>] (free_irq+0x60/0x7c)
      [<c0268a14>] (free_irq) from [<c0469e80>] (release_nodes+0x1c4/0x1ec)
      [<c0469e80>] (release_nodes) from [<c0466924>] (__device_release_driver+0xa8/0x104)
      [<c0466924>] (__device_release_driver) from [<c0466a80>] (driver_detach+0xd0/0xf8)
      [<c0466a80>] (driver_detach) from [<c0465e18>] (bus_remove_driver+0x64/0x8c)
      [<c0465e18>] (bus_remove_driver) from [<c02935b0>] (SyS_delete_module+0x198/0x1e0)
      [<c02935b0>] (SyS_delete_module) from [<c0202ed0>] (__sys_trace_return+0x0/0x10)
      ---[ end trace bb25d6123d849b44 ]---
      
      Currently "rmmod hip04_eth.ko" call free_irq more than once
      as devres_release_all and hip04_remove both call free_irq.
      This results in a 'Trying to free already-free IRQ' warning.
      To solve the problem free_irq has been moved out of hip04_remove.
      Signed-off-by: default avatarJiangfeng Xiao <xiaojiangfeng@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3b956e63
    • Will Deacon's avatar
      fjes: Handle workqueue allocation failure · f09b99c8
      Will Deacon authored
      [ Upstream commit 85ac30fa ]
      
      In the highly unlikely event that we fail to allocate either of the
      "/txrx" or "/control" workqueues, we should bail cleanly rather than
      blindly march on with NULL queue pointer(s) installed in the
      'fjes_adapter' instance.
      
      Cc: "David S. Miller" <davem@davemloft.net>
      Reported-by: default avatarNicolas Waisman <nico@semmle.com>
      Link: https://lore.kernel.org/lkml/CADJ_3a8WFrs5NouXNqS5WYe7rebFP+_A5CheeqAyD_p7DFJJcg@mail.gmail.com/Signed-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f09b99c8
    • Anton Eidelman's avatar
      nvme-multipath: fix possible io hang after ctrl reconnect · 6376736d
      Anton Eidelman authored
      [ Upstream commit af8fd042 ]
      
      The following scenario results in an IO hang:
      1) ctrl completes a request with NVME_SC_ANA_TRANSITION.
         NVME_NS_ANA_PENDING bit in ns->flags is set and ana_work is triggered.
      2) ana_work: nvme_read_ana_log() tries to get the ANA log page from the ctrl.
         This fails because ctrl disconnects.
         Therefore nvme_update_ns_ana_state() is not called
         and NVME_NS_ANA_PENDING bit in ns->flags is not cleared.
      3) ctrl reconnects: nvme_mpath_init(ctrl,...) calls
         nvme_read_ana_log(ctrl, groups_only=true).
         However, nvme_update_ana_state() does not update namespaces
         because nr_nsids = 0 (due to groups_only mode).
      4) scan_work calls nvme_validate_ns() finds the ns and re-validates OK.
      
      Result:
      The ctrl is now live but NVME_NS_ANA_PENDING bit in ns->flags is still set.
      Consequently ctrl will never be considered a viable path by __nvme_find_path().
      IO will hang if ctrl is the only or the last path to the namespace.
      
      More generally, while ctrl is reconnecting, its ANA state may change.
      And because nvme_mpath_init() requests ANA log in groups_only mode,
      these changes are not propagated to the existing ctrl namespaces.
      This may result in a mal-function or an IO hang.
      
      Solution:
      nvme_mpath_init() will nvme_read_ana_log() with groups_only set to false.
      This will not harm the new ctrl case (no namespaces present),
      and will make sure the ANA state of namespaces gets updated after reconnect.
      
      Note: Another option would be for nvme_mpath_init() to invoke
      nvme_parse_ana_log(..., nvme_set_ns_ana_state) for each existing namespace.
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarAnton Eidelman <anton@lightbitslabs.com>
      Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6376736d
    • Nicholas Piggin's avatar
      scsi: qla2xxx: stop timer in shutdown path · 1372527e
      Nicholas Piggin authored
      [ Upstream commit d3566abb ]
      
      In shutdown/reboot paths, the timer is not stopped:
      
        qla2x00_shutdown
        pci_device_shutdown
        device_shutdown
        kernel_restart_prepare
        kernel_restart
        sys_reboot
      
      This causes lockups (on powerpc) when firmware config space access calls
      are interrupted by smp_send_stop later in reboot.
      
      Fixes: e30d1756 ("[SCSI] qla2xxx: Addition of shutdown callback handler.")
      Link: https://lore.kernel.org/r/20191024063804.14538-1-npiggin@gmail.comSigned-off-by: default avatarNicholas Piggin <npiggin@gmail.com>
      Acked-by: default avatarHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1372527e
    • Lijun Ou's avatar
      RDMA/hns: Prevent memory leaks of eq->buf_list · f2bab3ed
      Lijun Ou authored
      [ Upstream commit b681a052 ]
      
      eq->buf_list->buf and eq->buf_list should also be freed when eqe_hop_num
      is set to 0, or there will be memory leaks.
      
      Fixes: a5073d60 ("RDMA/hns: Add eq support of hip08")
      Link: https://lore.kernel.org/r/1572072995-11277-3-git-send-email-liweihang@hisilicon.comSigned-off-by: default avatarLijun Ou <oulijun@huawei.com>
      Signed-off-by: default avatarWeihang Li <liweihang@hisilicon.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f2bab3ed
    • Potnuri Bharat Teja's avatar
      RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case · 55ca0834
      Potnuri Bharat Teja authored
      [ Upstream commit d4934f45 ]
      
      _put_ep_safe() and _put_pass_ep_safe() free the skb before it is freed by
      process_work(). fix double free by freeing the skb only in process_work().
      
      Fixes: 1dad0ebe ("iw_cxgb4: Avoid touch after free error in ARP failure handlers")
      Link: https://lore.kernel.org/r/1572006880-5800-1-git-send-email-bharat@chelsio.comSigned-off-by: default avatarDakshaja Uppalapati <dakshaja@chelsio.com>
      Signed-off-by: default avatarPotnuri Bharat Teja <bharat@chelsio.com>
      Reviewed-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      55ca0834
    • GwanYeong Kim's avatar
      usbip: tools: Fix read_usb_vudc_device() error path handling · e36be795
      GwanYeong Kim authored
      [ Upstream commit 28df0642 ]
      
      This isn't really accurate right. fread() doesn't always
      return 0 in error. It could return < number of elements
      and set errno.
      Signed-off-by: default avatarGwanYeong Kim <gy741.kim@gmail.com>
      Acked-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20191018032223.4644-1-gy741.kim@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e36be795
    • Johan Hovold's avatar
      USB: ldusb: use unsigned size format specifiers · cd9561a5
      Johan Hovold authored
      [ Upstream commit 88f6bf38 ]
      
      A recent info-leak bug manifested itself along with warning about a
      negative buffer overflow:
      
      	ldusb 1-1:0.28: Read buffer overflow, -131383859965943 bytes dropped
      
      when it was really a rather large positive one.
      
      A sanity check that prevents this has now been put in place, but let's
      fix up the size format specifiers, which should all be unsigned.
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20191022143203.5260-3-johan@kernel.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cd9561a5
    • Alan Stern's avatar
      USB: Skip endpoints with 0 maxpacket length · c753113a
      Alan Stern authored
      [ Upstream commit d482c7bb ]
      
      Endpoints with a maxpacket length of 0 are probably useless.  They
      can't transfer any data, and it's not at all unlikely that an HCD will
      crash or hang when trying to handle an URB for such an endpoint.
      
      Currently the USB core does not check for endpoints having a maxpacket
      value of 0.  This patch adds a check, printing a warning and skipping
      over any endpoints it catches.
      
      Now, the USB spec does not rule out endpoints having maxpacket = 0.
      But since they wouldn't have any practical use, there doesn't seem to
      be any good reason for us to accept them.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      
      Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1910281050420.1485-100000@iolanthe.rowland.orgSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c753113a
    • Kan Liang's avatar
      perf/x86/uncore: Fix event group support · ef38f4d1
      Kan Liang authored
      [ Upstream commit 75be6f70 ]
      
      The events in the same group don't start or stop simultaneously.
      Here is the ftrace when enabling event group for uncore_iio_0:
      
        # perf stat -e "{uncore_iio_0/event=0x1/,uncore_iio_0/event=0xe/}"
      
                  <idle>-0     [000] d.h.  8959.064832: read_msr: a41, value
        b2b0b030		//Read counter reg of IIO unit0 counter0
                  <idle>-0     [000] d.h.  8959.064835: write_msr: a48, value
        400001			//Write Ctrl reg of IIO unit0 counter0 to enable
        counter0. <------ Although counter0 is enabled, Unit Ctrl is still
        freezed. Nothing will count. We are still good here.
                  <idle>-0     [000] d.h.  8959.064836: read_msr: a40, value
        30100                   //Read Unit Ctrl reg of IIO unit0
                  <idle>-0     [000] d.h.  8959.064838: write_msr: a40, value
        30000			//Write Unit Ctrl reg of IIO unit0 to enable all
        counters in the unit by clear Freeze bit  <------Unit0 is un-freezed.
        Counter0 has been enabled. Now it starts counting. But counter1 has not
        been enabled yet. The issue starts here.
                  <idle>-0     [000] d.h.  8959.064846: read_msr: a42, value 0
      			//Read counter reg of IIO unit0 counter1
                  <idle>-0     [000] d.h.  8959.064847: write_msr: a49, value
        40000e			//Write Ctrl reg of IIO unit0 counter1 to enable
        counter1.   <------ Now, counter1 just starts to count. Counter0 has
        been running for a while.
      
      Current code un-freezes the Unit Ctrl right after the first counter is
      enabled. The subsequent group events always loses some counter values.
      
      Implement pmu_enable and pmu_disable support for uncore, which can help
      to batch hardware accesses.
      
      No one uses uncore_enable_box and uncore_disable_box. Remove them.
      Signed-off-by: default avatarKan Liang <kan.liang@linux.intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Cc: linux-drivers-review@eclists.intel.com
      Cc: linux-perf@eclists.intel.com
      Fixes: 087bfbb0 ("perf/x86: Add generic Intel uncore PMU support")
      Link: https://lkml.kernel.org/r/1572014593-31591-1-git-send-email-kan.liang@linux.intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ef38f4d1
    • Kim Phillips's avatar
      perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) · f1475165
      Kim Phillips authored
      [ Upstream commit e431e79b ]
      
      This saves us writing the IBS control MSR twice when disabling the
      event.
      
      I searched revision guides for all families since 10h, and did not
      find occurrence of erratum #420, nor anything remotely similar:
      so we isolate the secondary MSR write to family 10h only.
      
      Also unconditionally update the count mask for IBS Op implementations
      that have read & writeable current count (CurCnt) fields in addition
      to the MaxCnt field.  These bits were reserved on prior
      implementations, and therefore shouldn't have negative impact.
      Signed-off-by: default avatarKim Phillips <kim.phillips@amd.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Fixes: c9574fe0 ("perf/x86-ibs: Implement workaround for IBS erratum #420")
      Link: https://lkml.kernel.org/r/20191023150955.30292-2-kim.phillips@amd.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f1475165
    • Kim Phillips's avatar
      perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity · 5b99e97b
      Kim Phillips authored
      [ Upstream commit 317b96bb ]
      
      The loop that reads all the IBS MSRs into *buf stopped one MSR short of
      reading the IbsOpData register, which contains the RipInvalid status bit.
      
      Fix the offset_max assignment so the MSR gets read, so the RIP invalid
      evaluation is based on what the IBS h/w output, instead of what was
      left in memory.
      Signed-off-by: default avatarKim Phillips <kim.phillips@amd.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Arnaldo Carvalho de Melo <acme@kernel.org>
      Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Stephane Eranian <eranian@google.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Vince Weaver <vincent.weaver@maine.edu>
      Fixes: d47e8238 ("perf/x86-ibs: Take instruction pointer from ibs sample")
      Link: https://lkml.kernel.org/r/20191023150955.30292-1-kim.phillips@amd.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b99e97b
    • Yinbo Zhu's avatar
      usb: dwc3: remove the call trace of USBx_GFLADJ · 45944c4a
      Yinbo Zhu authored
      [ Upstream commit a7d9874c ]
      
      layerscape board sometimes reported some usb call trace, that is due to
      kernel sent LPM tokerns automatically when it has no pending transfers
      and think that the link is idle enough to enter L1, which procedure will
      ask usb register has a recovery,then kernel will compare USBx_GFLADJ and
      set GFLADJ_30MHZ, GFLADJ_30MHZ_REG until GFLADJ_30MHZ is equal 0x20, if
      the conditions were met then issue occur, but whatever the conditions
      whether were met that usb is all need keep GFLADJ_30MHZ of value is 0x20
      (xhci spec ask use GFLADJ_30MHZ to adjust any offset from clock source
      that generates the clock that drives the SOF counter, 0x20 is default
      value of it)That is normal logic, so need remove the call trace.
      Signed-off-by: default avatarYinbo Zhu <yinbo.zhu@nxp.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      45944c4a
    • Peter Chen's avatar
      usb: gadget: configfs: fix concurrent issue between composite APIs · dff38149
      Peter Chen authored
      [ Upstream commit 1a1c851b ]
      
      We meet several NULL pointer issues if configfs_composite_unbind
      and composite_setup (or composite_disconnect) are running together.
      These issues occur when do the function switch stress test, the
      configfs_compsoite_unbind is called from user mode by
      echo "" to /sys/../UDC entry, and meanwhile, the setup interrupt
      or disconnect interrupt occurs by hardware. The composite_setup
      will get the cdev from get_gadget_data, but configfs_composite_unbind
      will set gadget data as NULL, so the NULL pointer issue occurs.
      This concurrent is hard to reproduce by native kernel, but can be
      reproduced by android kernel.
      
      In this commit, we introduce one spinlock belongs to structure
      gadget_info since we can't use the same spinlock in usb_composite_dev
      due to exclusive running together between composite_setup and
      configfs_composite_unbind. And one bit flag 'unbind' to indicate the
      code is at unbind routine, this bit is needed due to we release the
      lock at during configfs_composite_unbind sometimes, and composite_setup
      may be run at that time.
      
      Several oops:
      
      oops 1:
      android_work: sent uevent USB_STATE=CONNECTED
      configfs-gadget gadget: super-speed config #1: b
      android_work: sent uevent USB_STATE=CONFIGURED
      init: Received control message 'start' for 'adbd' from pid: 3515 (system_server)
      Unable to handle kernel NULL pointer dereference at virtual address 0000002a
      init: Received control message 'stop' for 'adbd' from pid: 3375 (/vendor/bin/hw/android.hardware.usb@1.1-servic)
      Mem abort info:
        Exception class = DABT (current EL), IL = 32 bits
        SET = 0, FnV = 0
        EA = 0, S1PTW = 0
      Data abort info:
        ISV = 0, ISS = 0x00000004
        CM = 0, WnR = 0
      user pgtable: 4k pages, 48-bit VAs, pgd = ffff8008f1b7f000
      [000000000000002a] *pgd=0000000000000000
      Internal error: Oops: 96000004 [#1] PREEMPT SMP
      Modules linked in:
      CPU: 4 PID: 2457 Comm: irq/125-5b11000 Not tainted 4.14.98-07846-g0b40a9b-dirty #16
      Hardware name: Freescale i.MX8QM MEK (DT)
      task: ffff8008f2a98000 task.stack: ffff00000b7b8000
      PC is at composite_setup+0x44/0x1508
      LR is at android_setup+0xb8/0x13c
      pc : [<ffff0000089ffb3c>] lr : [<ffff000008a032fc>] pstate: 800001c5
      sp : ffff00000b7bbb80
      x29: ffff00000b7bbb80 x28: ffff8008f2a3c010
      x27: 0000000000000001 x26: 0000000000000000                                                          [1232/1897]
      audit: audit_lost=25791 audit_rate_limit=5 audit_backlog_limit=64
      x25: 00000000ffffffa1 x24: ffff8008f2a3c010
      audit: rate limit exceeded
      x23: 0000000000000409 x22: ffff000009c8e000
      x21: ffff8008f7a8b428 x20: ffff00000afae000
      x19: ffff0000089ff000 x18: 0000000000000000
      x17: 0000000000000000 x16: ffff0000082b7c9c
      x15: 0000000000000000 x14: f1866f5b952aca46
      x13: e35502e30d44349c x12: 0000000000000008
      x11: 0000000000000008 x10: 0000000000000a30
      x9 : ffff00000b7bbd00 x8 : ffff8008f2a98a90
      x7 : ffff8008f27a9c90 x6 : 0000000000000001
      x5 : 0000000000000000 x4 : 0000000000000001
      x3 : 0000000000000000 x2 : 0000000000000006
      x1 : ffff0000089ff8d0 x0 : 732a010310b9ed00
      
      X7: 0xffff8008f27a9c10:
      9c10  00000002 00000000 00000001 00000000 13110000 ffff0000 00000002 00208040
      9c30  00000000 00000000 00000000 00000000 00000000 00000005 00000029 00000000
      9c50  00051778 00000001 f27a8e00 ffff8008 00000005 00000000 00000078 00000078
      9c70  00000078 00000000 09031d48 ffff0000 00100000 00000000 00400000 00000000
      9c90  00000001 00000000 00000000 00000000 00000000 00000000 ffefb1a0 ffff8008
      9cb0  f27a9ca8 ffff8008 00000000 00000000 b9d88037 00000173 1618a3eb 00000001
      9cd0  870a792a 0000002e 16188fe6 00000001 0000242b 00000000 00000000 00000000
      using random self ethernet address
      9cf0  019a4646 00000000 000547f3 00000000 ecfd6c33 00000002 00000000
      using random host ethernet address
       00000000
      
      X8: 0xffff8008f2a98a10:
      8a10  00000000 00000000 f7788d00 ffff8008 00000001 00000000 00000000 00000000
      8a30  eb218000 ffff8008 f2a98000 ffff8008 f2a98000 ffff8008 09885000 ffff0000
      8a50  f34df480 ffff8008 00000000 00000000 f2a98648 ffff8008 09c8e000 ffff0000
      8a70  fff2c800 ffff8008 09031d48 ffff0000 0b7bbd00 ffff0000 0b7bbd00 ffff0000
      8a90  080861bc ffff0000 00000000 00000000 00000000 00000000 00000000 00000000
      8ab0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8ad0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8af0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      
      X21: 0xffff8008f7a8b3a8:
      b3a8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b3c8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b3e8  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b408  00000000 00000000 00000000 00000000 00000000 00000000 00000001 00000000
      b428  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      b448  0053004d 00540046 00300031 00010030 eb07b520 ffff8008 20011201 00000003
      b468  e418d109 0104404e 00010302 00000000 eb07b558 ffff8008 eb07b558 ffff8008
      b488  f7a8b488 ffff8008 f7a8b488 ffff8008 f7a8b300 ffff8008 00000000 00000000
      
      X24: 0xffff8008f2a3bf90:
      bf90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      c010  00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
      c030  f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
      c050  f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      c070  f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
      
      X28: 0xffff8008f2a3bf90:
      bf90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bfd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      bff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      c010  00000000 00000000 f2a3c018 ffff8008 f2a3c018 ffff8008 08a067dc ffff0000
      c030  f2a5a000 ffff8008 091c3650 ffff0000 f716fd18 ffff8008 f716fe30 ffff8008
      c050  f2ce4a30 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      c070  f76c8010 ffff8008 f2ce4b00 ffff8008 095cac68 ffff0000 f2a5a028 ffff8008
      
      Process irq/125-5b11000 (pid: 2457, stack limit = 0xffff00000b7b8000)
      Call trace:
      Exception stack(0xffff00000b7bba40 to 0xffff00000b7bbb80)
      ba40: 732a010310b9ed00 ffff0000089ff8d0 0000000000000006 0000000000000000
      ba60: 0000000000000001 0000000000000000 0000000000000001 ffff8008f27a9c90
      ba80: ffff8008f2a98a90 ffff00000b7bbd00 0000000000000a30 0000000000000008
      baa0: 0000000000000008 e35502e30d44349c f1866f5b952aca46 0000000000000000
      bac0: ffff0000082b7c9c 0000000000000000 0000000000000000 ffff0000089ff000
      bae0: ffff00000afae000 ffff8008f7a8b428 ffff000009c8e000 0000000000000409
      bb00: ffff8008f2a3c010 00000000ffffffa1 0000000000000000 0000000000000001
      bb20: ffff8008f2a3c010 ffff00000b7bbb80 ffff000008a032fc ffff00000b7bbb80
      bb40: ffff0000089ffb3c 00000000800001c5 ffff00000b7bbb80 732a010310b9ed00
      bb60: ffffffffffffffff ffff0000080f777c ffff00000b7bbb80 ffff0000089ffb3c
      [<ffff0000089ffb3c>] composite_setup+0x44/0x1508
      [<ffff000008a032fc>] android_setup+0xb8/0x13c
      [<ffff0000089bd9a8>] cdns3_ep0_delegate_req+0x44/0x70
      [<ffff0000089bdff4>] cdns3_check_ep0_interrupt_proceed+0x33c/0x654
      [<ffff0000089bca44>] cdns3_device_thread_irq_handler+0x4b0/0x4bc
      [<ffff0000089b77b4>] cdns3_thread_irq+0x48/0x68
      [<ffff000008145bf0>] irq_thread_fn+0x28/0x88
      [<ffff000008145e38>] irq_thread+0x13c/0x228
      [<ffff0000080fed70>] kthread+0x104/0x130
      [<ffff000008085064>] ret_from_fork+0x10/0x18
      
      oops2:
      composite_disconnect: Calling disconnect on a Gadget that is                      not connected
      android_work: did not send uevent (0 0           (null))
      init: Received control message 'stop' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
      init: Sending signal 9 to service 'adbd' (pid 22343) process group...
      ------------[ cut here ]------------
      audit: audit_lost=180038 audit_rate_limit=5 audit_backlog_limit=64
      audit: rate limit exceeded
      WARNING: CPU: 0 PID: 3468 at kernel_imx/drivers/usb/gadget/composite.c:2009 composite_disconnect+0x80/0x88
      Modules linked in:
      CPU: 0 PID: 3468 Comm: HWC-UEvent-Thre Not tainted 4.14.98-07846-g0b40a9b-dirty #16
      Hardware name: Freescale i.MX8QM MEK (DT)
      task: ffff8008f2349c00 task.stack: ffff00000b0a8000
      PC is at composite_disconnect+0x80/0x88
      LR is at composite_disconnect+0x80/0x88
      pc : [<ffff0000089ff9b0>] lr : [<ffff0000089ff9b0>] pstate: 600001c5
      sp : ffff000008003dd0
      x29: ffff000008003dd0 x28: ffff8008f2349c00
      x27: ffff000009885018 x26: ffff000008004000
      Timeout for IPC response!
      x25: ffff000009885018 x24: ffff000009c8e280
      x23: ffff8008f2d98010 x22: 00000000000001c0
      x21: ffff8008f2d98394 x20: ffff8008f2d98010
      x19: 0000000000000000 x18: 0000e3956f4f075a
      fxos8700 4-001e: i2c block read acc failed
      x17: 0000e395735727e8 x16: ffff00000829f4d4
      x15: ffffffffffffffff x14: 7463656e6e6f6320
      x13: 746f6e2009090920 x12: 7369207461687420
      x11: 7465676461472061 x10: 206e6f207463656e
      x9 : 6e6f637369642067 x8 : ffff000009c8e280
      x7 : ffff0000086ca6cc x6 : ffff000009f15e78
      x5 : 0000000000000000 x4 : 0000000000000000
      x3 : ffffffffffffffff x2 : c3f28b86000c3900
      x1 : c3f28b86000c3900 x0 : 000000000000004e
      
      X20: 0xffff8008f2d97f90:
      7f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      libprocessgroup: Failed to kill process cgroup uid 0 pid 22343 in 215ms, 1 processes remain
      7fd0
      Timeout for IPC response!
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      using random self ethernet address
      7ff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      8010  00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc
      using random host ethernet address
       ffff0000
      8030  f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
      8050  f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      8070  f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
      
      X21: 0xffff8008f2d98314:
      8314  ffff8008 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8334  00000000 00000000 00000000 00000000 00000000 08a04cf4 ffff0000 00000000
      8354  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      8374  00000000 00000000 00000000 00001001 00000000 00000000 00000000 00000000
      8394  e4bbe4bb 0f230000 ffff0000 0afae000 ffff0000 ae001000 00000000 f206d400
      Timeout for IPC response!
      83b4  ffff8008 00000000 00000000 f7957b18 ffff8008 f7957718 ffff8008 f7957018
      83d4  ffff8008 f7957118 ffff8008 f7957618 ffff8008 f7957818 ffff8008 f7957918
      83f4  ffff8008 f7957d18 ffff8008 00000000 00000000 00000000 00000000 00000000
      
      X23: 0xffff8008f2d97f90:
      7f90  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fb0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7fd0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      7ff0  00000000 00000000 00000000 00000000 f76c8010 ffff8008 f76c8010 ffff8008
      8010  00000100 00000000 f2d98018 ffff8008 f2d98018 ffff8008 08a067dc ffff0000
      8030  f206d800 ffff8008 091c3650 ffff0000 f7957b18 ffff8008 f7957730 ffff8008
      8050  f716a630 ffff8008 00000000 00000005 00000000 00000000 095d1568 ffff0000
      8070  f76c8010 ffff8008 f716a800 ffff8008 095cac68 ffff0000 f206d828 ffff8008
      
      X28: 0xffff8008f2349b80:
      9b80  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9ba0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9bc0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9be0  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      9c00  00000022 00000000 ffffffff ffffffff 00010001 00000000 00000000 00000000
      9c20  0b0a8000 ffff0000 00000002 00404040 00000000 00000000 00000000 00000000
      9c40  00000001 00000000 00000001 00000000 001ebd44 00000001 f390b800 ffff8008
      9c60  00000000 00000001 00000070 00000070 00000070 00000000 09031d48 ffff0000
      
      Call trace:
      Exception stack(0xffff000008003c90 to 0xffff000008003dd0)
      3c80:                                   000000000000004e c3f28b86000c3900
      3ca0: c3f28b86000c3900 ffffffffffffffff 0000000000000000 0000000000000000
      3cc0: ffff000009f15e78 ffff0000086ca6cc ffff000009c8e280 6e6f637369642067
      3ce0: 206e6f207463656e 7465676461472061 7369207461687420 746f6e2009090920
      3d00: 7463656e6e6f6320 ffffffffffffffff ffff00000829f4d4 0000e395735727e8
      3d20: 0000e3956f4f075a 0000000000000000 ffff8008f2d98010 ffff8008f2d98394
      3d40: 00000000000001c0 ffff8008f2d98010 ffff000009c8e280 ffff000009885018
      3d60: ffff000008004000 ffff000009885018 ffff8008f2349c00 ffff000008003dd0
      3d80: ffff0000089ff9b0 ffff000008003dd0 ffff0000089ff9b0 00000000600001c5
      3da0: ffff8008f33f2cd8 0000000000000000 0000ffffffffffff 0000000000000000
      init: Received control message 'start' for 'adbd' from pid: 3359 (/vendor/bin/hw/android.hardware.usb@1.1-service.imx)
      3dc0: ffff000008003dd0 ffff0000089ff9b0
      [<ffff0000089ff9b0>] composite_disconnect+0x80/0x88
      [<ffff000008a044d4>] android_disconnect+0x3c/0x68
      [<ffff0000089ba9f8>] cdns3_device_irq_handler+0xfc/0x2c8
      [<ffff0000089b84c0>] cdns3_irq+0x44/0x94
      [<ffff00000814494c>] __handle_irq_event_percpu+0x60/0x24c
      [<ffff000008144c0c>] handle_irq_event+0x58/0xc0
      [<ffff00000814873c>] handle_fasteoi_irq+0x98/0x180
      [<ffff000008143a10>] generic_handle_irq+0x24/0x38
      [<ffff000008144170>] __handle_domain_irq+0x60/0xac
      [<ffff0000080819c4>] gic_handle_irq+0xd4/0x17c
      Signed-off-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dff38149
    • Navid Emamdoost's avatar
      usb: dwc3: pci: prevent memory leak in dwc3_pci_probe · 10eb9abd
      Navid Emamdoost authored
      [ Upstream commit 9bbfceea ]
      
      In dwc3_pci_probe a call to platform_device_alloc allocates a device
      which is correctly put in case of error except one case: when the call to
      platform_device_add_properties fails it directly returns instead of
      going to error handling. This commit replaces return with the goto.
      
      Fixes: 1a7b12f6 ("usb: dwc3: pci: Supply device properties via driver data")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      10eb9abd
    • Chandana Kishori Chiluveru's avatar
      usb: gadget: composite: Fix possible double free memory bug · c73ccf65
      Chandana Kishori Chiluveru authored
      [ Upstream commit 1c20c89b ]
      
      composite_dev_cleanup call from the failure of configfs_composite_bind
      frees up the cdev->os_desc_req and cdev->req. If the previous calls of
      bind and unbind is successful these will carry stale values.
      
      Consider the below sequence of function calls:
      configfs_composite_bind()
              composite_dev_prepare()
                      - Allocate cdev->req, cdev->req->buf
              composite_os_desc_req_prepare()
                      - Allocate cdev->os_desc_req, cdev->os_desc_req->buf
      configfs_composite_unbind()
              composite_dev_cleanup()
                      - free the cdev->os_desc_req->buf and cdev->req->buf
      Next composition switch
      configfs_composite_bind()
              - If it fails goto err_comp_cleanup will call the
      	  composite_dev_cleanup() function
              composite_dev_cleanup()
      	        - calls kfree up with the stale values of cdev->req->buf and
      		  cdev->os_desc_req from the previous configfs_composite_bind
      		  call. The free call on these stale values leads to double free.
      
      Hence, Fix this issue by setting request and buffer pointer to NULL after
      kfree.
      Signed-off-by: default avatarChandana Kishori Chiluveru <cchiluve@codeaurora.org>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c73ccf65
    • Cristian Birsan's avatar
      usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode. · 26d31e1c
      Cristian Birsan authored
      [ Upstream commit ba3a1a91 ]
      
      Fix interrupt storm generated by endpoints when working in FIFO mode.
      The TX_COMPLETE interrupt is used only by control endpoints processing.
      Do not enable it for other types of endpoints.
      
      Fixes: 914a3f3b ("USB: add atmel_usba_udc driver")
      Signed-off-by: default avatarCristian Birsan <cristian.birsan@microchip.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      26d31e1c
    • Nikhil Badola's avatar
      usb: fsl: Check memory resource before releasing it · 88912019
      Nikhil Badola authored
      [ Upstream commit bc1e3a2d ]
      
      Check memory resource existence before releasing it to avoid NULL
      pointer dereference
      Signed-off-by: default avatarNikhil Badola <nikhil.badola@freescale.com>
      Reviewed-by: default avatarRan Wang <ran.wang_1@nxp.com>
      Reviewed-by: default avatarPeter Chen <peter.chen@nxp.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      88912019
    • Taehee Yoo's avatar
      macsec: fix refcnt leak in module exit routine · 3a2675a2
      Taehee Yoo authored
      [ Upstream commit 2bce1ebe ]
      
      When a macsec interface is created, it increases a refcnt to a lower
      device(real device). when macsec interface is deleted, the refcnt is
      decreased in macsec_free_netdev(), which is ->priv_destructor() of
      macsec interface.
      
      The problem scenario is this.
      When nested macsec interfaces are exiting, the exit routine of the
      macsec module makes refcnt leaks.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add macsec0 link dummy0 type macsec
          ip link add macsec1 link macsec0 type macsec
          modprobe -rv macsec
      
      [  208.629433] unregister_netdevice: waiting for macsec0 to become free. Usage count = 1
      
      Steps of exit routine of macsec module are below.
      1. Calls ->dellink() in __rtnl_link_unregister().
      2. Checks refcnt and wait refcnt to be 0 if refcnt is not 0 in
      netdev_run_todo().
      3. Calls ->priv_destruvtor() in netdev_run_todo().
      
      Step2 checks refcnt, but step3 decreases refcnt.
      So, step2 waits forever.
      
      This patch makes the macsec module do not hold a refcnt of the lower
      device because it already holds a refcnt of the lower device with
      netdev_upper_dev_link().
      
      Fixes: c09440f7 ("macsec: introduce IEEE 802.1AE driver")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3a2675a2
    • Taehee Yoo's avatar
      bonding: fix unexpected IFF_BONDING bit unset · 0d0ca85a
      Taehee Yoo authored
      [ Upstream commit 65de65d9 ]
      
      The IFF_BONDING means bonding master or bonding slave device.
      ->ndo_add_slave() sets IFF_BONDING flag and ->ndo_del_slave() unsets
      IFF_BONDING flag.
      
      bond0<--bond1
      
      Both bond0 and bond1 are bonding device and these should keep having
      IFF_BONDING flag until they are removed.
      But bond1 would lose IFF_BONDING at ->ndo_del_slave() because that routine
      do not check whether the slave device is the bonding type or not.
      This patch adds the interface type check routine before removing
      IFF_BONDING flag.
      
      Test commands:
          ip link add bond0 type bond
          ip link add bond1 type bond
          ip link set bond1 master bond0
          ip link set bond1 nomaster
          ip link del bond1 type bond
          ip link add bond1 type bond
      
      Splat looks like:
      [  226.665555] proc_dir_entry 'bonding/bond1' already registered
      [  226.666440] WARNING: CPU: 0 PID: 737 at fs/proc/generic.c:361 proc_register+0x2a9/0x3e0
      [  226.667571] Modules linked in: bonding af_packet sch_fq_codel ip_tables x_tables unix
      [  226.668662] CPU: 0 PID: 737 Comm: ip Not tainted 5.4.0-rc3+ #96
      [  226.669508] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [  226.670652] RIP: 0010:proc_register+0x2a9/0x3e0
      [  226.671612] Code: 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 39 01 00 00 48 8b 04 24 48 89 ea 48 c7 c7 a0 0b 14 9f 48 8b b0 e
      0 00 00 00 e8 07 e7 88 ff <0f> 0b 48 c7 c7 40 2d a5 9f e8 59 d6 23 01 48 8b 4c 24 10 48 b8 00
      [  226.675007] RSP: 0018:ffff888050e17078 EFLAGS: 00010282
      [  226.675761] RAX: dffffc0000000008 RBX: ffff88805fdd0f10 RCX: ffffffff9dd344e2
      [  226.676757] RDX: 0000000000000001 RSI: 0000000000000008 RDI: ffff88806c9f6b8c
      [  226.677751] RBP: ffff8880507160f3 R08: ffffed100d940019 R09: ffffed100d940019
      [  226.678761] R10: 0000000000000001 R11: ffffed100d940018 R12: ffff888050716008
      [  226.679757] R13: ffff8880507160f2 R14: dffffc0000000000 R15: ffffed100a0e2c1e
      [  226.680758] FS:  00007fdc217cc0c0(0000) GS:ffff88806c800000(0000) knlGS:0000000000000000
      [  226.681886] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  226.682719] CR2: 00007f49313424d0 CR3: 0000000050e46001 CR4: 00000000000606f0
      [  226.683727] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  226.684725] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  226.685681] Call Trace:
      [  226.687089]  proc_create_seq_private+0xb3/0xf0
      [  226.687778]  bond_create_proc_entry+0x1b3/0x3f0 [bonding]
      [  226.691458]  bond_netdev_event+0x433/0x970 [bonding]
      [  226.692139]  ? __module_text_address+0x13/0x140
      [  226.692779]  notifier_call_chain+0x90/0x160
      [  226.693401]  register_netdevice+0x9b3/0xd80
      [  226.694010]  ? alloc_netdev_mqs+0x854/0xc10
      [  226.694629]  ? netdev_change_features+0xa0/0xa0
      [  226.695278]  ? rtnl_create_link+0x2ed/0xad0
      [  226.695849]  bond_newlink+0x2a/0x60 [bonding]
      [  226.696422]  __rtnl_newlink+0xb9f/0x11b0
      [  226.696968]  ? rtnl_link_unregister+0x220/0x220
      [ ... ]
      
      Fixes: 0b680e75 ("[PATCH] bonding: Add priv_flag to avoid event mishandling")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0d0ca85a
    • Eric Dumazet's avatar
      ipvs: move old_secure_tcp into struct netns_ipvs · 50e31318
      Eric Dumazet authored
      [ Upstream commit c24b75e0 ]
      
      syzbot reported the following issue :
      
      BUG: KCSAN: data-race in update_defense_level / update_defense_level
      
      read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1:
       update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177
       defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
       process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
       worker_thread+0xa0/0x800 kernel/workqueue.c:2415
       kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0:
       update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205
       defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225
       process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
       worker_thread+0xa0/0x800 kernel/workqueue.c:2415
       kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
       ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events defense_work_handler
      
      Indeed, old_secure_tcp is currently a static variable, while it
      needs to be a per netns variable.
      
      Fixes: a0840e2e ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      50e31318
    • Davide Caratti's avatar
      ipvs: don't ignore errors in case refcounting ip_vs module fails · 102f4078
      Davide Caratti authored
      [ Upstream commit 62931f59 ]
      
      if the IPVS module is removed while the sync daemon is starting, there is
      a small gap where try_module_get() might fail getting the refcount inside
      ip_vs_use_count_inc(). Then, the refcounts of IPVS module are unbalanced,
      and the subsequent call to stop_sync_thread() causes the following splat:
      
       WARNING: CPU: 0 PID: 4013 at kernel/module.c:1146 module_put.part.44+0x15b/0x290
        Modules linked in: ip_vs(-) nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 veth ip6table_filter ip6_tables iptable_filter binfmt_misc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ext4 mbcache jbd2 ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd glue_helper joydev pcspkr snd_timer virtio_balloon snd soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk failover virtio_console qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crc32c_intel serio_raw drm virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv6]
        CPU: 0 PID: 4013 Comm: modprobe Tainted: G        W         5.4.0-rc1.upstream+ #741
        Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
        RIP: 0010:module_put.part.44+0x15b/0x290
        Code: 04 25 28 00 00 00 0f 85 18 01 00 00 48 83 c4 68 5b 5d 41 5c 41 5d 41 5e 41 5f c3 89 44 24 28 83 e8 01 89 c5 0f 89 57 ff ff ff <0f> 0b e9 78 ff ff ff 65 8b 1d 67 83 26 4a 89 db be 08 00 00 00 48
        RSP: 0018:ffff888050607c78 EFLAGS: 00010297
        RAX: 0000000000000003 RBX: ffffffffc1420590 RCX: ffffffffb5db0ef9
        RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffc1420590
        RBP: 00000000ffffffff R08: fffffbfff82840b3 R09: fffffbfff82840b3
        R10: 0000000000000001 R11: fffffbfff82840b2 R12: 1ffff1100a0c0f90
        R13: ffffffffc1420200 R14: ffff88804f533300 R15: ffff88804f533ca0
        FS:  00007f8ea9720740(0000) GS:ffff888053800000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007f3245abe000 CR3: 000000004c28a006 CR4: 00000000001606f0
        Call Trace:
         stop_sync_thread+0x3a3/0x7c0 [ip_vs]
         ip_vs_sync_net_cleanup+0x13/0x50 [ip_vs]
         ops_exit_list.isra.5+0x94/0x140
         unregister_pernet_operations+0x29d/0x460
         unregister_pernet_device+0x26/0x60
         ip_vs_cleanup+0x11/0x38 [ip_vs]
         __x64_sys_delete_module+0x2d5/0x400
         do_syscall_64+0xa5/0x4e0
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f8ea8bf0db7
        Code: 73 01 c3 48 8b 0d b9 80 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 80 2c 00 f7 d8 64 89 01 48
        RSP: 002b:00007ffcd38d2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
        RAX: ffffffffffffffda RBX: 0000000002436240 RCX: 00007f8ea8bf0db7
        RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00000000024362a8
        RBP: 0000000000000000 R08: 00007f8ea8eba060 R09: 00007f8ea8c658a0
        R10: 00007ffcd38d2a60 R11: 0000000000000206 R12: 0000000000000000
        R13: 0000000000000001 R14: 00000000024362a8 R15: 0000000000000000
        irq event stamp: 4538
        hardirqs last  enabled at (4537): [<ffffffffb6193dde>] quarantine_put+0x9e/0x170
        hardirqs last disabled at (4538): [<ffffffffb5a0556a>] trace_hardirqs_off_thunk+0x1a/0x20
        softirqs last  enabled at (4522): [<ffffffffb6f8ebe9>] sk_common_release+0x169/0x2d0
        softirqs last disabled at (4520): [<ffffffffb6f8eb3e>] sk_common_release+0xbe/0x2d0
      
      Check the return value of ip_vs_use_count_inc() and let its caller return
      proper error. Inside do_ip_vs_set_ctl() the module is already refcounted,
      we don't need refcount/derefcount there. Finally, in register_ip_vs_app()
      and start_sync_thread(), take the module refcount earlier and ensure it's
      released in the error path.
      
      Change since v1:
       - better return values in case of failure of ip_vs_use_count_inc(),
         thanks to Julian Anastasov
       - no need to increase/decrease the module refcount in ip_vs_set_ctl(),
         thanks to Julian Anastasov
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      102f4078