...
 
Commits (77)
  • Martin Wilck's avatar
    scsi: scsi_devinfo: handle non-terminated strings · 46ddb2be
    Martin Wilck authored
    commit ba69ead9 upstream.
    
    devinfo->vendor and devinfo->model aren't necessarily
    zero-terminated.
    
    Fixes: b8018b97 "scsi_devinfo: fixup string compare"
    Signed-off-by: Martin Wilck's avatarMartin Wilck <[email protected]>
    Reviewed-by: default avatarBart Van Assche <[email protected]>
    Signed-off-by: Martin K. Petersen's avatarMartin K. Petersen <[email protected]>
    Cc: Guenter Roeck <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    46ddb2be
  • Eric Dumazet's avatar
    net: be more gentle about silly gso requests coming from user · b875b337
    Eric Dumazet authored
    commit 7c6d2ecb upstream.
    
    Recent change in virtio_net_hdr_to_skb() broke some packetdrill tests.
    
    When --mss=XXX option is set, packetdrill always provide gso_type & gso_size
    for its inbound packets, regardless of packet size.
    
    	if (packet->tcp && packet->mss) {
    		if (packet->ipv4)
    			gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV4;
    		else
    			gso.gso_type = VIRTIO_NET_HDR_GSO_TCPV6;
    		gso.gso_size = packet->mss;
    	}
    
    Since many other programs could do the same, relax virtio_net_hdr_to_skb()
    to no longer return an error, but instead ignore gso settings.
    
    This keeps Willem intent to make sure no malicious packet could
    reach gso stack.
    
    Note that TCP stack has a special logic in tcp_set_skb_tso_segs()
    to clear gso_size for small packets.
    
    Fixes: 6dd912f8 ("net: check untrusted gso_size at kernel entry")
    Signed-off-by: default avatarEric Dumazet <[email protected]>
    Cc: Willem de Bruijn <[email protected]>
    Acked-by: default avatarWillem de Bruijn <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Cc: Guenter Roeck <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    b875b337
  • yu kuai's avatar
    block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed · ee5f7093
    yu kuai authored
    commit a75ca930 upstream.
    
    commit e7bf90e5 ("block/bio-integrity: fix a memory leak bug") added
    a kfree() for 'buf' if bio_integrity_add_page() returns '0'. However,
    the object will be freed in bio_integrity_free() since 'bio->bi_opf' and
    'bio->bi_integrity' were set previousy in bio_integrity_alloc().
    
    Fixes: commit e7bf90e5 ("block/bio-integrity: fix a memory leak bug")
    Signed-off-by: default avataryu kuai <[email protected]>
    Reviewed-by: default avatarMing Lei <[email protected]>
    Reviewed-by: default avatarBob Liu <[email protected]>
    Acked-by: Martin K. Petersen's avatarMartin K. Petersen <[email protected]>
    Signed-off-by: default avatarJens Axboe <[email protected]>
    Cc: Guenter Roeck <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    ee5f7093
  • Valentin Longchamp's avatar
    net: sched: export __netdev_watchdog_up() · 102f4f7e
    Valentin Longchamp authored
    [ Upstream commit 1a3db27a ]
    
    Since the quiesce/activate rework, __netdev_watchdog_up() is directly
    called in the ucc_geth driver.
    
    Unfortunately, this function is not available for modules and thus
    ucc_geth cannot be built as a module anymore. Fix it by exporting
    __netdev_watchdog_up().
    
    Since the commit introducing the regression was backported to stable
    branches, this one should ideally be as well.
    
    Fixes: 79dde73c ("net/ethernet/freescale: rework quiesce/activate for ucc_geth")
    Signed-off-by: default avatarValentin Longchamp <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    102f4f7e
  • Al Viro's avatar
    fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()" · 92441410
    Al Viro authored
    [ Upstream commit 9d964e1b ]
    
    lost npc in PTRACE_SETREGSET, breaking PTRACE_SETREGS as well
    
    Fixes: cf51e129 "sparc32: fix register window handling in genregs32_[gs]et()"
    Signed-off-by: default avatarAl Viro <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    92441410
  • Jann Horn's avatar
    apparmor: don't try to replace stale label in ptraceme check · 25783186
    Jann Horn authored
    [ Upstream commit ca3fde52 ]
    
    begin_current_label_crit_section() must run in sleepable context because
    when label_is_stale() is true, aa_replace_current_label() runs, which uses
    prepare_creds(), which can sleep.
    
    Until now, the ptraceme access check (which runs with tasklist_lock held)
    violated this rule.
    
    Fixes: b2d09ae4 ("apparmor: move ptrace checks to using labels")
    Reported-by: Cyrill Gorcunov's avatarCyrill Gorcunov <[email protected]>
    Reported-by: default avatarkernel test robot <[email protected]>
    Signed-off-by: default avatarJann Horn <[email protected]>
    Signed-off-by: default avatarJohn Johansen <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    25783186
  • Thomas Falcon's avatar
    ibmveth: Fix max MTU limit · 72ef5dc2
    Thomas Falcon authored
    [ Upstream commit 5948378b ]
    
    The max MTU limit defined for ibmveth is not accounting for
    virtual ethernet buffer overhead, which is twenty-two additional
    bytes set aside for the ethernet header and eight additional bytes
    of an opaque handle reserved for use by the hypervisor. Update the
    max MTU to reflect this overhead.
    
    Fixes: d894be57 ("ethernet: use net core MTU range checking in more drivers")
    Fixes: 110447f8 ("ethernet: fix min/max MTU typos")
    Signed-off-by: default avatarThomas Falcon <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    72ef5dc2
  • Wang Hai's avatar
    mld: fix memory leak in ipv6_mc_destroy_dev() · 16d73ba2
    Wang Hai authored
    [ Upstream commit ea2fce88 ]
    
    Commit a84d0164 ("mld: fix memory leak in mld_del_delrec()") fixed
    the memory leak of MLD, but missing the ipv6_mc_destroy_dev() path, in
    which mca_sources are leaked after ma_put().
    
    Using ip6_mc_clear_src() to take care of the missing free.
    
    BUG: memory leak
    unreferenced object 0xffff8881113d3180 (size 64):
      comm "syz-executor071", pid 389, jiffies 4294887985 (age 17.943s)
      hex dump (first 32 bytes):
        00 00 00 00 00 00 00 00 ff 02 00 00 00 00 00 00  ................
        00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<000000002cbc483c>] kmalloc include/linux/slab.h:555 [inline]
        [<000000002cbc483c>] kzalloc include/linux/slab.h:669 [inline]
        [<000000002cbc483c>] ip6_mc_add1_src net/ipv6/mcast.c:2237 [inline]
        [<000000002cbc483c>] ip6_mc_add_src+0x7f5/0xbb0 net/ipv6/mcast.c:2357
        [<0000000058b8b1ff>] ip6_mc_source+0xe0c/0x1530 net/ipv6/mcast.c:449
        [<000000000bfc4fb5>] do_ipv6_setsockopt.isra.12+0x1b2c/0x3b30 net/ipv6/ipv6_sockglue.c:754
        [<00000000e4e7a722>] ipv6_setsockopt+0xda/0x150 net/ipv6/ipv6_sockglue.c:950
        [<0000000029260d9a>] rawv6_setsockopt+0x45/0x100 net/ipv6/raw.c:1081
        [<000000005c1b46f9>] __sys_setsockopt+0x131/0x210 net/socket.c:2132
        [<000000008491f7db>] __do_sys_setsockopt net/socket.c:2148 [inline]
        [<000000008491f7db>] __se_sys_setsockopt net/socket.c:2145 [inline]
        [<000000008491f7db>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2145
        [<00000000c7bc11c5>] do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
        [<000000005fb7a3f3>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
    
    Fixes: 1666d49e ("mld: do not remove mld souce list info when set link down")
    Reported-by: default avatarHulk Robot <[email protected]>
    Signed-off-by: default avatarWang Hai <[email protected]>
    Acked-by: Hangbin Liu's avatarHangbin Liu <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    16d73ba2
  • Thomas Martitz's avatar
    net: bridge: enfore alignment for ethernet address · cb437459
    Thomas Martitz authored
    [ Upstream commit db7202dec92e6caa2706c21d6fc359af318bde2e ]
    
    The eth_addr member is passed to ether_addr functions that require
    2-byte alignment, therefore the member must be properly aligned
    to avoid unaligned accesses.
    
    The problem is in place since the initial merge of multicast to unicast:
    commit 6db6f0ea bridge: multicast to unicast
    
    Fixes: 6db6f0ea ("bridge: multicast to unicast")
    Cc: Roopa Prabhu <[email protected]>
    Cc: Nikolay Aleksandrov <[email protected]>
    Cc: David S. Miller <[email protected]>
    Cc: Jakub Kicinski <[email protected]>
    Cc: Felix Fietkau <[email protected]>
    Cc: [email protected]
    Signed-off-by: default avatarThomas Martitz <[email protected]>
    Acked-by: default avatarNikolay Aleksandrov <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    cb437459
  • Yang Yingliang's avatar
    net: fix memleak in register_netdevice() · 4cec97e8
    Yang Yingliang authored
    [ Upstream commit 814152a8 ]
    
    I got a memleak report when doing some fuzz test:
    
    unreferenced object 0xffff888112584000 (size 13599):
      comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
      hex dump (first 32 bytes):
        74 61 70 30 00 00 00 00 00 00 00 00 00 00 00 00  tap0............
        00 ee d9 19 81 88 ff ff 00 00 00 00 00 00 00 00  ................
      backtrace:
        [<000000002f60ba65>] __kmalloc_node+0x309/0x3a0
        [<0000000075b211ec>] kvmalloc_node+0x7f/0xc0
        [<00000000d3a97396>] alloc_netdev_mqs+0x76/0xfc0
        [<00000000609c3655>] __tun_chr_ioctl+0x1456/0x3d70
        [<000000001127ca24>] ksys_ioctl+0xe5/0x130
        [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
        [<00000000e1023498>] do_syscall_64+0x56/0xa0
        [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    unreferenced object 0xffff888111845cc0 (size 8):
      comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
      hex dump (first 8 bytes):
        74 61 70 30 00 88 ff ff                          tap0....
      backtrace:
        [<000000004c159777>] kstrdup+0x35/0x70
        [<00000000d8b496ad>] kstrdup_const+0x3d/0x50
        [<00000000494e884a>] kvasprintf_const+0xf1/0x180
        [<0000000097880a2b>] kobject_set_name_vargs+0x56/0x140
        [<000000008fbdfc7b>] dev_set_name+0xab/0xe0
        [<000000005b99e3b4>] netdev_register_kobject+0xc0/0x390
        [<00000000602704fe>] register_netdevice+0xb61/0x1250
        [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
        [<000000001127ca24>] ksys_ioctl+0xe5/0x130
        [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
        [<00000000e1023498>] do_syscall_64+0x56/0xa0
        [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    unreferenced object 0xffff88811886d800 (size 512):
      comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
      hex dump (first 32 bytes):
        00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00  .....N..........
        ff ff ff ff ff ff ff ff c0 66 3d a3 ff ff ff ff  .........f=.....
      backtrace:
        [<0000000050315800>] device_add+0x61e/0x1950
        [<0000000021008dfb>] netdev_register_kobject+0x17e/0x390
        [<00000000602704fe>] register_netdevice+0xb61/0x1250
        [<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
        [<000000001127ca24>] ksys_ioctl+0xe5/0x130
        [<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
        [<00000000e1023498>] do_syscall_64+0x56/0xa0
        [<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    If call_netdevice_notifiers() failed, then rollback_registered()
    calls netdev_unregister_kobject() which holds the kobject. The
    reference cannot be put because the netdev won't be add to todo
    list, so it will leads a memleak, we need put the reference to
    avoid memleak.
    Reported-by: default avatarHulk Robot <[email protected]>
    Signed-off-by: default avatarYang Yingliang <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    4cec97e8
  • Jeremy Kerr's avatar
    net: usb: ax88179_178a: fix packet alignment padding · a163c574
    Jeremy Kerr authored
    [ Upstream commit e869e7a1 ]
    
    Using a AX88179 device (0b95:1790), I see two bytes of appended data on
    every RX packet. For example, this 48-byte ping, using 0xff as a
    payload byte:
    
      04:20:22.528472 IP 192.168.1.1 > 192.168.1.2: ICMP echo request, id 2447, seq 1, length 64
    	0x0000:  000a cd35 ea50 000a cd35 ea4f 0800 4500
    	0x0010:  0054 c116 4000 4001 f63e c0a8 0101 c0a8
    	0x0020:  0102 0800 b633 098f 0001 87ea cd5e 0000
    	0x0030:  0000 dcf2 0600 0000 0000 ffff ffff ffff
    	0x0040:  ffff ffff ffff ffff ffff ffff ffff ffff
    	0x0050:  ffff ffff ffff ffff ffff ffff ffff ffff
    	0x0060:  ffff 961f
    
    Those last two bytes - 96 1f - aren't part of the original packet.
    
    In the ax88179 RX path, the usbnet rx_fixup function trims a 2-byte
    'alignment pseudo header' from the start of the packet, and sets the
    length from a per-packet field populated by hardware. It looks like that
    length field *includes* the 2-byte header; the current driver assumes
    that it's excluded.
    
    This change trims the 2-byte alignment header after we've set the packet
    length, so the resulting packet length is correct. While we're moving
    the comment around, this also fixes the spelling of 'pseudo'.
    Signed-off-by: default avatarJeremy Kerr <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    a163c574
  • Aditya Pakki's avatar
    rocker: fix incorrect error handling in dma_rings_init · 58be8418
    Aditya Pakki authored
    [ Upstream commit 58d0c864 ]
    
    In rocker_dma_rings_init, the goto blocks in case of errors
    caused by the functions rocker_dma_cmd_ring_waits_alloc() and
    rocker_dma_ring_create() are incorrect. The patch fixes the
    order consistent with cleanup in rocker_dma_rings_fini().
    Signed-off-by: default avatarAditya Pakki <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    58be8418
  • David Howells's avatar
    rxrpc: Fix notification call on completion of discarded calls · 098fcf52
    David Howells authored
    [ Upstream commit 0041cd5a ]
    
    When preallocated service calls are being discarded, they're passed to
    ->discard_new_call() to have the caller clean up any attached higher-layer
    preallocated pieces before being marked completed.  However, the act of
    marking them completed now invokes the call's notification function - which
    causes a problem because that function might assume that the previously
    freed pieces of memory are still there.
    
    Fix this by setting a dummy notification function on the socket after
    calling ->discard_new_call().
    
    This results in the following kasan message when the kafs module is
    removed.
    
    ==================================================================
    BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707
    Write of size 1 at addr ffff8880946c39e4 by task kworker/u4:1/21
    
    CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc1-syzkaller #0
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Workqueue: netns cleanup_net
    Call Trace:
     __dump_stack lib/dump_stack.c:77 [inline]
     dump_stack+0x18f/0x20d lib/dump_stack.c:118
     print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383
     __kasan_report mm/kasan/report.c:513 [inline]
     kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
     afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707
     rxrpc_notify_socket+0x1db/0x5d0 net/rxrpc/recvmsg.c:40
     __rxrpc_set_call_completion.part.0+0x172/0x410 net/rxrpc/recvmsg.c:76
     __rxrpc_call_completed net/rxrpc/recvmsg.c:112 [inline]
     rxrpc_call_completed+0xca/0xf0 net/rxrpc/recvmsg.c:111
     rxrpc_discard_prealloc+0x781/0xab0 net/rxrpc/call_accept.c:233
     rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245
     afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110
     afs_net_exit+0x1bc/0x310 fs/afs/main.c:155
     ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186
     cleanup_net+0x511/0xa50 net/core/net_namespace.c:603
     process_one_work+0x965/0x1690 kernel/workqueue.c:2269
     worker_thread+0x96/0xe10 kernel/workqueue.c:2415
     kthread+0x3b5/0x4a0 kernel/kthread.c:291
     ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
    
    Allocated by task 6820:
     save_stack+0x1b/0x40 mm/kasan/common.c:48
     set_track mm/kasan/common.c:56 [inline]
     __kasan_kmalloc mm/kasan/common.c:494 [inline]
     __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467
     kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551
     kmalloc include/linux/slab.h:555 [inline]
     kzalloc include/linux/slab.h:669 [inline]
     afs_alloc_call+0x55/0x630 fs/afs/rxrpc.c:141
     afs_charge_preallocation+0xe9/0x2d0 fs/afs/rxrpc.c:757
     afs_open_socket+0x292/0x360 fs/afs/rxrpc.c:92
     afs_net_init+0xa6c/0xe30 fs/afs/main.c:125
     ops_init+0xaf/0x420 net/core/net_namespace.c:151
     setup_net+0x2de/0x860 net/core/net_namespace.c:341
     copy_net_ns+0x293/0x590 net/core/net_namespace.c:482
     create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110
     unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231
     ksys_unshare+0x43d/0x8e0 kernel/fork.c:2983
     __do_sys_unshare kernel/fork.c:3051 [inline]
     __se_sys_unshare kernel/fork.c:3049 [inline]
     __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3049
     do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359
     entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Freed by task 21:
     save_stack+0x1b/0x40 mm/kasan/common.c:48
     set_track mm/kasan/common.c:56 [inline]
     kasan_set_free_info mm/kasan/common.c:316 [inline]
     __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455
     __cache_free mm/slab.c:3426 [inline]
     kfree+0x109/0x2b0 mm/slab.c:3757
     afs_put_call+0x585/0xa40 fs/afs/rxrpc.c:190
     rxrpc_discard_prealloc+0x764/0xab0 net/rxrpc/call_accept.c:230
     rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245
     afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110
     afs_net_exit+0x1bc/0x310 fs/afs/main.c:155
     ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186
     cleanup_net+0x511/0xa50 net/core/net_namespace.c:603
     process_one_work+0x965/0x1690 kernel/workqueue.c:2269
     worker_thread+0x96/0xe10 kernel/workqueue.c:2415
     kthread+0x3b5/0x4a0 kernel/kthread.c:291
     ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293
    
    The buggy address belongs to the object at ffff8880946c3800
     which belongs to the cache kmalloc-1k of size 1024
    The buggy address is located 484 bytes inside of
     1024-byte region [ffff8880946c3800, ffff8880946c3c00)
    The buggy address belongs to the page:
    page:ffffea000251b0c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
    flags: 0xfffe0000000200(slab)
    raw: 00fffe0000000200 ffffea0002546508 ffffea00024fa248 ffff8880aa000c40
    raw: 0000000000000000 ffff8880946c3000 0000000100000002 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
     ffff8880946c3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8880946c3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff8880946c3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                           ^
     ffff8880946c3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
     ffff8880946c3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ==================================================================
    
    Reported-by: [email protected]
    Fixes: 5ac0d622 ("rxrpc: Fix missing notification")
    Signed-off-by: default avatarDavid Howells <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    098fcf52
  • Marcelo Ricardo Leitner's avatar
    sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket · d26d1104
    Marcelo Ricardo Leitner authored
    [ Upstream commit 471e39df ]
    
    If a socket is set ipv6only, it will still send IPv4 addresses in the
    INIT and INIT_ACK packets. This potentially misleads the peer into using
    them, which then would cause association termination.
    
    The fix is to not add IPv4 addresses to ipv6only sockets.
    
    Fixes: 1da177e4 ("Linux-2.6.12-rc2")
    Reported-by: default avatarCorey Minyard <[email protected]>
    Signed-off-by: Marcelo Ricardo Leitner's avatarMarcelo Ricardo Leitner <[email protected]>
    Tested-by: default avatarCorey Minyard <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    d26d1104
  • Eric Dumazet's avatar
    tcp: grow window for OOO packets only for SACK flows · 2f9aa3a7
    Eric Dumazet authored
    [ Upstream commit 66205121 ]
    
    Back in 2013, we made a change that broke fast retransmit
    for non SACK flows.
    
    Indeed, for these flows, a sender needs to receive three duplicate
    ACK before starting fast retransmit. Sending ACK with different
    receive window do not count.
    
    Even if enabling SACK is strongly recommended these days,
    there still are some cases where it has to be disabled.
    
    Not increasing the window seems better than having to
    rely on RTO.
    
    After the fix, following packetdrill test gives :
    
    // Initialize connection
        0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
       +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
       +0 bind(3, ..., ...) = 0
       +0 listen(3, 1) = 0
    
       +0 < S 0:0(0) win 32792 <mss 1000,nop,wscale 7>
       +0 > S. 0:0(0) ack 1 <mss 1460,nop,wscale 8>
       +0 < . 1:1(0) ack 1 win 514
    
       +0 accept(3, ..., ...) = 4
    
       +0 < . 1:1001(1000) ack 1 win 514
    // Quick ack
       +0 > . 1:1(0) ack 1001 win 264
    
       +0 < . 2001:3001(1000) ack 1 win 514
    // DUPACK : Normally we should not change the window
       +0 > . 1:1(0) ack 1001 win 264
    
       +0 < . 3001:4001(1000) ack 1 win 514
    // DUPACK : Normally we should not change the window
       +0 > . 1:1(0) ack 1001 win 264
    
       +0 < . 4001:5001(1000) ack 1 win 514
    // DUPACK : Normally we should not change the window
        +0 > . 1:1(0) ack 1001 win 264
    
       +0 < . 1001:2001(1000) ack 1 win 514
    // Hole is repaired.
       +0 > . 1:1(0) ack 5001 win 272
    
    Fixes: 4e4f1fc2 ("tcp: properly increase rcv_ssthresh for ofo packets")
    Signed-off-by: default avatarEric Dumazet <[email protected]>
    Reported-by: default avatarVenkat Venkatsubra <[email protected]>
    Acked-by: default avatarNeal Cardwell <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    2f9aa3a7
  • David Christensen's avatar
    tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes · ab7a0572
    David Christensen authored
    [ Upstream commit 3a2656a2 ]
    
    The driver function tg3_io_error_detected() calls napi_disable twice,
    without an intervening napi_enable, when the number of EEH errors exceeds
    eeh_max_freezes, resulting in an indefinite sleep while holding rtnl_lock.
    
    Add check for pcierr_recovery which skips code already executed for the
    "Frozen" state.
    Signed-off-by: default avatarDavid Christensen <[email protected]>
    Reviewed-by: default avatarMichael Chan <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    ab7a0572
  • Taehee Yoo's avatar
    ip_tunnel: fix use-after-free in ip_tunnel_lookup() · 64e1dfe9
    Taehee Yoo authored
    [ Upstream commit ba61539c ]
    
    In the datapath, the ip_tunnel_lookup() is used and it internally uses
    fallback tunnel device pointer, which is fb_tunnel_dev.
    This pointer variable should be set to NULL when a fb interface is deleted.
    But there is no routine to set fb_tunnel_dev pointer to NULL.
    So, this pointer will be still used after interface is deleted and
    it eventually results in the use-after-free problem.
    
    Test commands:
        ip netns add A
        ip netns add B
        ip link add eth0 type veth peer name eth1
        ip link set eth0 netns A
        ip link set eth1 netns B
    
        ip netns exec A ip link set lo up
        ip netns exec A ip link set eth0 up
        ip netns exec A ip link add gre1 type gre local 10.0.0.1 \
    	    remote 10.0.0.2
        ip netns exec A ip link set gre1 up
        ip netns exec A ip a a 10.0.100.1/24 dev gre1
        ip netns exec A ip a a 10.0.0.1/24 dev eth0
    
        ip netns exec B ip link set lo up
        ip netns exec B ip link set eth1 up
        ip netns exec B ip link add gre1 type gre local 10.0.0.2 \
    	    remote 10.0.0.1
        ip netns exec B ip link set gre1 up
        ip netns exec B ip a a 10.0.100.2/24 dev gre1
        ip netns exec B ip a a 10.0.0.2/24 dev eth1
        ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 &
        ip netns del B
    
    Splat looks like:
    [   77.793450][    C3] ==================================================================
    [   77.794702][    C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30
    [   77.795573][    C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905
    [   77.796398][    C3]
    [   77.796664][    C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616
    [   77.797474][    C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [   77.798453][    C3] Call Trace:
    [   77.798815][    C3]  <IRQ>
    [   77.799142][    C3]  dump_stack+0x9d/0xdb
    [   77.799605][    C3]  print_address_description.constprop.7+0x2cc/0x450
    [   77.800365][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
    [   77.800908][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
    [   77.801517][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
    [   77.802145][    C3]  kasan_report+0x154/0x190
    [   77.802821][    C3]  ? ip_tunnel_lookup+0xcc4/0xf30
    [   77.803503][    C3]  ip_tunnel_lookup+0xcc4/0xf30
    [   77.804165][    C3]  __ipgre_rcv+0x1ab/0xaa0 [ip_gre]
    [   77.804862][    C3]  ? rcu_read_lock_sched_held+0xc0/0xc0
    [   77.805621][    C3]  gre_rcv+0x304/0x1910 [ip_gre]
    [   77.806293][    C3]  ? lock_acquire+0x1a9/0x870
    [   77.806925][    C3]  ? gre_rcv+0xfe/0x354 [gre]
    [   77.807559][    C3]  ? erspan_xmit+0x2e60/0x2e60 [ip_gre]
    [   77.808305][    C3]  ? rcu_read_lock_sched_held+0xc0/0xc0
    [   77.809032][    C3]  ? rcu_read_lock_held+0x90/0xa0
    [   77.809713][    C3]  gre_rcv+0x1b8/0x354 [gre]
    [ ... ]
    Suggested-by: default avatarEric Dumazet <[email protected]>
    Fixes: c5441932 ("GRE: Refactor GRE tunneling code.")
    Signed-off-by: default avatarTaehee Yoo <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    64e1dfe9
  • Neal Cardwell's avatar
    tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT · 36827983
    Neal Cardwell authored
    [ Upstream commit b344579c ]
    
    Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
    Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
    ACK when the minimum rtt of a connection goes down. From inspection it
    is clear from the existing code that this could happen in an example
    like the following:
    
    o The first 8 RTT samples in a round trip are 150ms, resulting in a
      curr_rtt of 150ms and a delay_min of 150ms.
    
    o The 9th RTT sample is 100ms. The curr_rtt does not change after the
      first 8 samples, so curr_rtt remains 150ms. But delay_min can be
      lowered at any time, so delay_min falls to 100ms. The code executes
      the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
      of 100ms, and the curr_rtt is declared far enough above delay_min to
      force a (spurious) exit of Slow start.
    
    The fix here is simple: allow every RTT sample in a round trip to
    lower the curr_rtt.
    
    Fixes: ae27e98a ("[TCP] CUBIC v2.3")
    Reported-by: default avatarMirja Kuehlewind <[email protected]>
    Signed-off-by: default avatarNeal Cardwell <[email protected]>
    Signed-off-by: default avatarEric Dumazet <[email protected]>
    Acked-by: default avatarSoheil Hassas Yeganeh <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    36827983
  • Taehee Yoo's avatar
    ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() · 43493838
    Taehee Yoo authored
    [ Upstream commit dafabb65 ]
    
    In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses
    fallback tunnel device pointer, which is fb_tunnel_dev.
    This pointer variable should be set to NULL when a fb interface is deleted.
    But there is no routine to set fb_tunnel_dev pointer to NULL.
    So, this pointer will be still used after interface is deleted and
    it eventually results in the use-after-free problem.
    
    Test commands:
        ip netns add A
        ip netns add B
        ip link add eth0 type veth peer name eth1
        ip link set eth0 netns A
        ip link set eth1 netns B
    
        ip netns exec A ip link set lo up
        ip netns exec A ip link set eth0 up
        ip netns exec A ip link add ip6gre1 type ip6gre local fc:0::1 \
    	    remote fc:0::2
        ip netns exec A ip -6 a a fc:100::1/64 dev ip6gre1
        ip netns exec A ip link set ip6gre1 up
        ip netns exec A ip -6 a a fc:0::1/64 dev eth0
        ip netns exec A ip link set ip6gre0 up
    
        ip netns exec B ip link set lo up
        ip netns exec B ip link set eth1 up
        ip netns exec B ip link add ip6gre1 type ip6gre local fc:0::2 \
    	    remote fc:0::1
        ip netns exec B ip -6 a a fc:100::2/64 dev ip6gre1
        ip netns exec B ip link set ip6gre1 up
        ip netns exec B ip -6 a a fc:0::2/64 dev eth1
        ip netns exec B ip link set ip6gre0 up
        ip netns exec A ping fc:100::2 -s 60000 &
        ip netns del B
    
    Splat looks like:
    [   73.087285][    C1] BUG: KASAN: use-after-free in ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
    [   73.088361][    C1] Read of size 4 at addr ffff888040559218 by task ping/1429
    [   73.089317][    C1]
    [   73.089638][    C1] CPU: 1 PID: 1429 Comm: ping Not tainted 5.7.0+ #602
    [   73.090531][    C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [   73.091725][    C1] Call Trace:
    [   73.092160][    C1]  <IRQ>
    [   73.092556][    C1]  dump_stack+0x96/0xdb
    [   73.093122][    C1]  print_address_description.constprop.6+0x2cc/0x450
    [   73.094016][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
    [   73.094894][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
    [   73.095767][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
    [   73.096619][    C1]  kasan_report+0x154/0x190
    [   73.097209][    C1]  ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
    [   73.097989][    C1]  ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
    [   73.098750][    C1]  ? gre_del_protocol+0x60/0x60 [gre]
    [   73.099500][    C1]  gre_rcv+0x1c5/0x1450 [ip6_gre]
    [   73.100199][    C1]  ? ip6gre_header+0xf00/0xf00 [ip6_gre]
    [   73.100985][    C1]  ? rcu_read_lock_sched_held+0xc0/0xc0
    [   73.101830][    C1]  ? ip6_input_finish+0x5/0xf0
    [   73.102483][    C1]  ip6_protocol_deliver_rcu+0xcbb/0x1510
    [   73.103296][    C1]  ip6_input_finish+0x5b/0xf0
    [   73.103920][    C1]  ip6_input+0xcd/0x2c0
    [   73.104473][    C1]  ? ip6_input_finish+0xf0/0xf0
    [   73.105115][    C1]  ? rcu_read_lock_held+0x90/0xa0
    [   73.105783][    C1]  ? rcu_read_lock_sched_held+0xc0/0xc0
    [   73.106548][    C1]  ipv6_rcv+0x1f1/0x300
    [ ... ]
    Suggested-by: default avatarEric Dumazet <[email protected]>
    Fixes: c12b395a ("gre: Support GRE over IPv6")
    Signed-off-by: default avatarTaehee Yoo <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    43493838
  • guodeqing's avatar
    net: Fix the arp error in some cases · c23e828e
    guodeqing authored
    [ Upstream commit 5eea3a63 ]
    
    ie.,
    $ ifconfig eth0 6.6.6.6 netmask 255.255.255.0
    
    $ ip rule add from 6.6.6.6 table 6666
    
    $ ip route add 9.9.9.9 via 6.6.6.6
    
    $ ping -I 6.6.6.6 9.9.9.9
    PING 9.9.9.9 (9.9.9.9) from 6.6.6.6 : 56(84) bytes of data.
    
    3 packets transmitted, 0 received, 100% packet loss, time 2079ms
    
    $ arp
    Address     HWtype  HWaddress           Flags Mask            Iface
    6.6.6.6             (incomplete)                              eth0
    
    The arp request address is error, this is because fib_table_lookup in
    fib_check_nh lookup the destnation 9.9.9.9 nexthop, the scope of
    the fib result is RT_SCOPE_LINK,the correct scope is RT_SCOPE_HOST.
    Here I add a check of whether this is RT_TABLE_MAIN to solve this problem.
    
    Fixes: 3bfd8472 ("net: Use passed in table for nexthop lookups")
    Signed-off-by: default avatarguodeqing <[email protected]>
    Reviewed-by: default avatarDavid Ahern <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    c23e828e
  • Tariq Toukan's avatar
    net: Do not clear the sock TX queue in sk_set_socket() · 3cb98605
    Tariq Toukan authored
    [ Upstream commit 41b14fb8 ]
    
    Clearing the sock TX queue in sk_set_socket() might cause unexpected
    out-of-order transmit when called from sock_orphan(), as outstanding
    packets can pick a different TX queue and bypass the ones already queued.
    
    This is undesired in general. More specifically, it breaks the in-order
    scheduling property guarantee for device-offloaded TLS sockets.
    
    Remove the call to sk_tx_queue_clear() in sk_set_socket(), and add it
    explicitly only where needed.
    
    Fixes: e022f0b4 ("net: Introduce sk_tx_queue_mapping")
    Signed-off-by: default avatarTariq Toukan <[email protected]>
    Reviewed-by: default avatarBoris Pismenny <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    3cb98605
  • Taehee Yoo's avatar
    net: core: reduce recursion limit value · ab2dc9df
    Taehee Yoo authored
    [ Upstream commit fb7861d1 ]
    
    In the current code, ->ndo_start_xmit() can be executed recursively only
    10 times because of stack memory.
    But, in the case of the vxlan, 10 recursion limit value results in
    a stack overflow.
    In the current code, the nested interface is limited by 8 depth.
    There is no critical reason that the recursion limitation value should
    be 10.
    So, it would be good to be the same value with the limitation value of
    nesting interface depth.
    
    Test commands:
        ip link add vxlan10 type vxlan vni 10 dstport 4789 srcport 4789 4789
        ip link set vxlan10 up
        ip a a 192.168.10.1/24 dev vxlan10
        ip n a 192.168.10.2 dev vxlan10 lladdr fc:22:33:44:55:66 nud permanent
    
        for i in {9..0}
        do
            let A=$i+1
    	ip link add vxlan$i type vxlan vni $i dstport 4789 srcport 4789 4789
    	ip link set vxlan$i up
    	ip a a 192.168.$i.1/24 dev vxlan$i
    	ip n a 192.168.$i.2 dev vxlan$i lladdr fc:22:33:44:55:66 nud permanent
    	bridge fdb add fc:22:33:44:55:66 dev vxlan$A dst 192.168.$i.2 self
        done
        hping3 192.168.10.2 -2 -d 60000
    
    Splat looks like:
    [  103.814237][ T1127] =============================================================================
    [  103.871955][ T1127] BUG kmalloc-2k (Tainted: G    B            ): Padding overwritten. 0x00000000897a2e4f-0x000
    [  103.873187][ T1127] -----------------------------------------------------------------------------
    [  103.873187][ T1127]
    [  103.874252][ T1127] INFO: Slab 0x000000005cccc724 objects=5 used=5 fp=0x0000000000000000 flags=0x10000000001020
    [  103.881323][ T1127] CPU: 3 PID: 1127 Comm: hping3 Tainted: G    B             5.7.0+ #575
    [  103.882131][ T1127] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
    [  103.883006][ T1127] Call Trace:
    [  103.883324][ T1127]  dump_stack+0x96/0xdb
    [  103.883716][ T1127]  slab_err+0xad/0xd0
    [  103.884106][ T1127]  ? _raw_spin_unlock+0x1f/0x30
    [  103.884620][ T1127]  ? get_partial_node.isra.78+0x140/0x360
    [  103.885214][ T1127]  slab_pad_check.part.53+0xf7/0x160
    [  103.885769][ T1127]  ? pskb_expand_head+0x110/0xe10
    [  103.886316][ T1127]  check_slab+0x97/0xb0
    [  103.886763][ T1127]  alloc_debug_processing+0x84/0x1a0
    [  103.887308][ T1127]  ___slab_alloc+0x5a5/0x630
    [  103.887765][ T1127]  ? pskb_expand_head+0x110/0xe10
    [  103.888265][ T1127]  ? lock_downgrade+0x730/0x730
    [  103.888762][ T1127]  ? pskb_expand_head+0x110/0xe10
    [  103.889244][ T1127]  ? __slab_alloc+0x3e/0x80
    [  103.889675][ T1127]  __slab_alloc+0x3e/0x80
    [  103.890108][ T1127]  __kmalloc_node_track_caller+0xc7/0x420
    [ ... ]
    
    Fixes: 11a766ce ("net: Increase xmit RECURSION_LIMIT to 10.")
    Signed-off-by: default avatarTaehee Yoo <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    ab2dc9df
  • Will Lester's avatar
    USB: ohci-sm501: Add missed iounmap() in remove · 1cecefac
    Will Lester authored
    commit 07c112fb upstream.
    
    This driver misses calling iounmap() in remove to undo the ioremap()
    called in probe.
    Add the missed call to fix it.
    
    Fixes: f54aab6e ("usb: ohci-sm501 driver")
    Cc: stable <[email protected]>
    Signed-off-by: Will Lester's avatarChuhong Yuan <[email protected]>
    Acked-by: default avatarAlan Stern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    1cecefac
  • Minas Harutyunyan's avatar
    usb: dwc2: Postponed gadget registration to the udc class driver · 52caba77
    Minas Harutyunyan authored
    commit 207324a3 upstream.
    
    During dwc2 driver probe, after gadget registration to the udc class
    driver, if exist any builtin function driver it immediately bound to
    dwc2 and after init host side (dwc2_hcd_init()) stucked in host mode.
    Patch postpone gadget registration after host side initialization done.
    
    Fixes: 117777b2 ("usb: dwc2: Move gadget probe function into platform code")
    Reported-by: default avatarkbuild test robot <[email protected]>
    Tested-by: default avatarMarek Vasut <[email protected]>
    Cc: stable <[email protected]>
    Signed-off-by: default avatarMinas Harutyunyan <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]ynopsys.comSigned-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    52caba77
  • Tomasz Meresiński's avatar
    usb: add USB_QUIRK_DELAY_INIT for Logitech C922 · 920f20c1
    Tomasz Meresiński authored
    commit 5d802192 upstream.
    
    The Logitech C922, just like other Logitech webcams,
    needs the USB_QUIRK_DELAY_INIT or it will randomly
    not respond after device connection
    Signed-off-by: default avatarTomasz Meresiński <[email protected]>
    Cc: stable <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    920f20c1
  • Longfang Liu's avatar
    USB: ehci: reopen solution for Synopsys HC bug · 80b602bc
    Longfang Liu authored
    commit 1ddcb71a upstream.
    
    A Synopsys USB2.0 core used in Huawei Kunpeng920 SoC has a bug which
    might cause the host controller not issuing ping.
    
    Bug description:
    After indicating an Interrupt on Async Advance, the software uses the
    doorbell mechanism to delete the Next Link queue head of the last
    executed queue head. At this time, the host controller still references
    the removed queue head(the queue head is NULL). NULL reference causes
    the host controller to lose the USB device.
    
    Solution:
    After deleting the Next Link queue head, when has_synopsys_hc_bug set
    to 1,the software can write one of the valid queue head addresses to
    the ASYNCLISTADDR register to allow the host controller to get
    the valid queue head. in order to solve that problem, this patch set
    the flag for Huawei Kunpeng920
    
    There are detailed instructions and solutions in this patch:
    commit 2f7ac6c1 ("USB: ehci: add workaround for Synopsys HC bug")
    Signed-off-by: default avatarLongfang Liu <[email protected]>
    Cc: stable <[email protected]>
    Acked-by: default avatarAlan Stern <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    80b602bc
  • Macpaul Lin's avatar
    usb: host: xhci-mtk: avoid runtime suspend when removing hcd · 04dea434
    Macpaul Lin authored
    commit a24d5072 upstream.
    
    When runtime suspend was enabled, runtime suspend might happen
    when xhci is removing hcd. This might cause kernel panic when hcd
    has been freed but runtime pm suspend related handle need to
    reference it.
    Signed-off-by: default avatarMacpaul Lin <[email protected]>
    Reviewed-by: default avatarChunfeng Yun <[email protected]>
    Cc: [email protected]
    Signed-off-by: default avatarMathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    04dea434
  • Tang Bin's avatar
    usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() · beaf9363
    Tang Bin authored
    commit 44ed240d upstream.
    
    If the function platform_get_irq() failed, the negative value
    returned will not be detected here. So fix error handling in
    exynos_ehci_probe(). And when get irq failed, the function
    platform_get_irq() logs an error message, so remove redundant
    message here.
    
    Fixes: 1bcc5aa8 ("USB: Add initial S5P EHCI driver")
    Cc: stable <[email protected]>
    Signed-off-by: default avatarZhang Shengju <[email protected]>
    Signed-off-by: default avatarTang Bin <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    beaf9363
  • Yick W. Tse's avatar
    ALSA: usb-audio: add quirk for Denon DCD-1500RE · 9c5fce69
    Yick W. Tse authored
    commit c9808bbf upstream.
    
    fix error "clock source 41 is not valid, cannot use"
    
    [] New USB device found, idVendor=154e, idProduct=1002, bcdDevice= 1.00
    [] New USB device strings: Mfr=1, Product=2, SerialNumber=0
    [] Product: DCD-1500RE
    [] Manufacturer: D & M Holdings Inc.
    []
    [] clock source 41 is not valid, cannot use
    [] usbcore: registered new interface driver snd-usb-audio
    Signed-off-by: default avatarYick W. Tse <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarTakashi Iwai <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    9c5fce69
  • Mathias Nyman's avatar
    xhci: Fix incorrect EP_STATE_MASK · 194ab115
    Mathias Nyman authored
    commit dceea670 upstream.
    
    EP_STATE_MASK should be 0x7 instead of 0xf
    
    xhci spec 6.2.3 shows that the EP state field in the endpoint context data
    structure consist of bits [2:0].
    The old value included a bit from the next field which fortunately is a
     RsvdZ region. So hopefully this hasn't caused too much harm
    
    Cc: [email protected]
    Signed-off-by: default avatarMathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    194ab115
  • Al Cooper's avatar
    xhci: Fix enumeration issue when setting max packet size for FS devices. · da333e0f
    Al Cooper authored
    commit a73d9d9c upstream.
    
    Unable to complete the enumeration of a USB TV Tuner device.
    
    Per XHCI spec (4.6.5), the EP state field of the input context shall
    be cleared for a set address command. In the special case of an FS
    device that has "MaxPacketSize0 = 8", the Linux XHCI driver does
    not do this before evaluating the context. With an XHCI controller
    that checks the EP state field for parameter context error this
    causes a problem in cases such as the device getting reset again
    after enumeration.
    
    When that field is cleared, the problem does not occur.
    
    This was found and fixed by Sasi Kumar.
    
    Cc: [email protected]
    Signed-off-by: default avatarAl Cooper <[email protected]>
    Signed-off-by: default avatarMathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    da333e0f
  • Joakim Tjernlund's avatar
    cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip · 726b1397
    Joakim Tjernlund authored
    commit 03894573 upstream.
    
    USB_DEVICE(0x0424, 0x274e) can send data before cdc_acm is ready,
    causing garbage chars on the TTY causing stray input to the shell
    and/or login prompt.
    Signed-off-by: Joakim Tjernlund's avatarJoakim Tjernlund <[email protected]>
    Cc: [email protected]
    Acked-by: default avatarOliver Neukum <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    726b1397
  • Zheng Bin's avatar
    loop: replace kill_bdev with invalidate_bdev · e9138db1
    Zheng Bin authored
    commit f4bd34b1 upstream.
    
    When a filesystem is mounted on a loop device and on a loop ioctl
    LOOP_SET_STATUS64, because of kill_bdev, buffer_head mappings are getting
    destroyed.
    kill_bdev
      truncate_inode_pages
        truncate_inode_pages_range
          do_invalidatepage
            block_invalidatepage
              discard_buffer  -->clear BH_Mapped flag
    
    sb_bread
      __bread_gfp
      bh = __getblk_gfp
      -->discard_buffer clear BH_Mapped flag
      __bread_slow
        submit_bh
          submit_bh_wbc
            BUG_ON(!buffer_mapped(bh))  --> hit this BUG_ON
    
    Fixes: 5db470e2 ("loop: drop caches if offset or block_size are changed")
    Signed-off-by: default avatarZheng Bin <[email protected]>
    Reviewed-by: default avatarChristoph Hellwig <[email protected]>
    Reviewed-by: default avatarBart Van Assche <[email protected]>
    Signed-off-by: default avatarJens Axboe <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    e9138db1
  • Julian Scheel's avatar
    ALSA: usb-audio: uac1: Invalidate ctl on interrupt · dc3e0068
    Julian Scheel authored
    [ Upstream commit b2500b58 ]
    
    When an interrupt occurs, the value of at least one of the belonging
    controls should have changed. To make sure they get re-read from device
    on the next read, invalidate the cache. This was correctly implemented
    for uac2 already, but missing for uac1.
    Signed-off-by: Julian Scheel's avatarJulian Scheel <[email protected]>
    Signed-off-by: default avatarTakashi Iwai <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    dc3e0068
  • Takashi Iwai's avatar
    ALSA: usb-audio: Clean up mixer element list traverse · aed669b7
    Takashi Iwai authored
    [ Upstream commit 8c558076 ]
    
    Introduce a new macro for iterating over mixer element list for
    avoiding the open codes in many places.  Also the open-coded
    container_of() and the forced cast to struct usb_mixer_elem_info are
    replaced with another simple macro, too.
    
    No functional changes but just readability improvement.
    Signed-off-by: default avatarTakashi Iwai <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    aed669b7
  • Takashi Iwai's avatar
    ALSA: usb-audio: Fix OOB access of mixer element list · 9662e63f
    Takashi Iwai authored
    [ Upstream commit 220345e9 ]
    
    The USB-audio mixer code holds a linked list of usb_mixer_elem_list,
    and several operations are performed for each mixer element.  A few of
    them (snd_usb_mixer_notify_id() and snd_usb_mixer_interrupt_v2())
    assume each mixer element being a usb_mixer_elem_info object that is a
    subclass of usb_mixer_elem_list, cast via container_of() and access it
    members.  This may result in an out-of-bound access when a
    non-standard list element has been added, as spotted by syzkaller
    recently.
    
    This patch adds a new field, is_std_info, in usb_mixer_elem_list to
    indicate that the element is the usb_mixer_elem_info type or not, and
    skip the access to such an element if needed.
    
    Reported-by: [email protected]
    Reported-by: [email protected]
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarTakashi Iwai <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    9662e63f
  • Kai-Heng Feng's avatar
    xhci: Poll for U0 after disabling USB2 LPM · 3bfa790b
    Kai-Heng Feng authored
    [ Upstream commit b3d71abd ]
    
    USB2 devices with LPM enabled may interrupt the system suspend:
    [  932.510475] usb 1-7: usb suspend, wakeup 0
    [  932.510549] hub 1-0:1.0: hub_suspend
    [  932.510581] usb usb1: bus suspend, wakeup 0
    [  932.510590] xhci_hcd 0000:00:14.0: port 9 not suspended
    [  932.510593] xhci_hcd 0000:00:14.0: port 8 not suspended
    ..
    [  932.520323] xhci_hcd 0000:00:14.0: Port change event, 1-7, id 7, portsc: 0x400e03
    ..
    [  932.591405] PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -16
    [  932.591414] PM: dpm_run_callback(): pci_pm_suspend+0x0/0x160 returns -16
    [  932.591418] PM: Device 0000:00:14.0 failed to suspend async: error -16
    
    During system suspend, USB core will let HC suspends the device if it
    doesn't have remote wakeup enabled and doesn't have any children.
    However, from the log above we can see that the usb 1-7 doesn't get bus
    suspended due to not in U0. After a while the port finished U2 -> U0
    transition, interrupts the suspend process.
    
    The observation is that after disabling LPM, port doesn't transit to U0
    immediately and can linger in U2. xHCI spec 4.23.5.2 states that the
    maximum exit latency for USB2 LPM should be BESL + 10us. The BESL for
    the affected device is advertised as 400us, which is still not enough
    based on my testing result.
    
    So let's use the maximum permitted latency, 10000, to poll for U0
    status to solve the issue.
    
    Cc: [email protected]
    Signed-off-by: default avatarKai-Heng Feng <[email protected]>
    Signed-off-by: default avatarMathias Nyman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    3bfa790b
  • Zhang Xiaoxu's avatar
    cifs/smb3: Fix data inconsistent when punch hole · d7cc2b5d
    Zhang Xiaoxu authored
    [ Upstream commit acc91c2d ]
    
    When punch hole success, we also can read old data from file:
      # strace -e trace=pread64,fallocate xfs_io -f -c "pread 20 40" \
               -c "fpunch 20 40" -c"pread 20 40" file
      pread64(3, " version 5.8.0-rc1+"..., 40, 20) = 40
      fallocate(3, FALLOC_FL_KEEP_SIZE|FALLOC_FL_PUNCH_HOLE, 20, 40) = 0
      pread64(3, " version 5.8.0-rc1+"..., 40, 20) = 40
    
    CIFS implements the fallocate(FALLOCATE_FL_PUNCH_HOLE) with send SMB
    ioctl(FSCTL_SET_ZERO_DATA) to server. It just set the range of the
    remote file to zero, but local page caches not updated, then the
    local page caches inconsistent with server.
    
    Also can be found by xfstests generic/316.
    
    So, we need to remove the page caches before send the SMB
    ioctl(FSCTL_SET_ZERO_DATA) to server.
    
    Fixes: 31742c5a ("enable fallocate punch hole ("fallocate -p") for SMB3")
    Suggested-by: default avatarPavel Shilovsky <[email protected]>
    Reviewed-by: default avatarPavel Shilovsky <[email protected]>
    Signed-off-by: default avatarZhang Xiaoxu <[email protected]>
    Cc: [email protected] # v3.17
    Signed-off-by: default avatarSteve French <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    d7cc2b5d
  • Zhang Xiaoxu's avatar
    cifs/smb3: Fix data inconsistent when zero file range · bd35f823
    Zhang Xiaoxu authored
    [ Upstream commit 6b690402 ]
    
    CIFS implements the fallocate(FALLOC_FL_ZERO_RANGE) with send SMB
    ioctl(FSCTL_SET_ZERO_DATA) to server. It just set the range of the
    remote file to zero, but local page cache not update, then the data
    inconsistent with server, which leads the xfstest generic/008 failed.
    
    So we need to remove the local page caches before send SMB
    ioctl(FSCTL_SET_ZERO_DATA) to server. After next read, it will
    re-cache it.
    
    Fixes: 30175628 ("[SMB3] Enable fallocate -z support for SMB3 mounts")
    Reported-by: default avatarHulk Robot <[email protected]>
    Signed-off-by: default avatarZhang Xiaoxu <[email protected]>
    Reviewed-by: default avatarPavel Shilovsky <[email protected]>
    Cc: [email protected] # v3.17
    Signed-off-by: default avatarSteve French <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    bd35f823
  • Qiushi Wu's avatar
    efi/esrt: Fix reference count leak in esre_create_sysfs_entry. · 3be7d370
    Qiushi Wu authored
    [ Upstream commit 4ddf4739 ]
    
    kobject_init_and_add() takes reference even when it fails.
    If this function returns an error, kobject_put() must be called to
    properly clean up the memory associated with the object. Previous
    commit "b8eb7183" fixed a similar problem.
    
    Fixes: 0bb54905 ("efi: Add esrt support")
    Signed-off-by: default avatarQiushi Wu <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarArd Biesheuvel <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    3be7d370
  • Matthew Hagan's avatar
    ARM: dts: NSP: Correct FA2 mailbox node · 4dddbac2
    Matthew Hagan authored
    [ Upstream commit ac4e106d ]
    
    The FA2 mailbox is specified at 0x18025000 but should actually be
    0x18025c00, length 0x400 according to socregs_nsp.h and board_bu.c. Also
    the interrupt was off by one and should be GIC SPI 151 instead of 150.
    
    Fixes: 17d51717 ("ARM: dts: NSP: Add mailbox (PDC) to NSP")
    Signed-off-by: default avatarMatthew Hagan <[email protected]>
    Signed-off-by: default avatarFlorian Fainelli <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    4dddbac2
  • David Howells's avatar
    rxrpc: Fix handling of rwind from an ACK packet · bef75aec
    David Howells authored
    [ Upstream commit a2ad7c21 ]
    
    The handling of the receive window size (rwind) from a received ACK packet
    is not correct.  The rxrpc_input_ackinfo() function currently checks the
    current Tx window size against the rwind from the ACK to see if it has
    changed, but then limits the rwind size before storing it in the tx_winsize
    member and, if it increased, wake up the transmitting process.  This means
    that if rwind > RXRPC_RXTX_BUFF_SIZE - 1, this path will always be
    followed.
    
    Fix this by limiting rwind before we compare it to tx_winsize.
    
    The effect of this can be seen by enabling the rxrpc_rx_rwind_change
    tracepoint.
    
    Fixes: 702f2ac8 ("rxrpc: Wake up the transmitter if Rx window size increases on the peer")
    Signed-off-by: default avatarDavid Howells <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    bef75aec
  • Mark Zhang's avatar
    RDMA/cma: Protect bind_list and listen_list while finding matching cm id · f58b7bce
    Mark Zhang authored
    [ Upstream commit 730c8912 ]
    
    The bind_list and listen_list must be accessed under a lock, add the
    missing locking around the access in cm_ib_id_from_event()
    
    In addition add lockdep asserts to make it clearer what the locking
    semantic is here.
    
      general protection fault: 0000 [#1] SMP NOPTI
      CPU: 226 PID: 126135 Comm: kworker/226:1 Tainted: G OE 4.12.14-150.47-default #1 SLE15
      Hardware name: Cray Inc. Windom/Windom, BIOS 0.8.7 01-10-2020
      Workqueue: ib_cm cm_work_handler [ib_cm]
      task: ffff9c5a60a1d2c0 task.stack: ffffc1d91f554000
      RIP: 0010:cma_ib_req_handler+0x3f1/0x11b0 [rdma_cm]
      RSP: 0018:ffffc1d91f557b40 EFLAGS: 00010286
      RAX: deacffffffffff30 RBX: 0000000000000001 RCX: ffff9c2af5bb6000
      RDX: 00000000000000a9 RSI: ffff9c5aa4ed2f10 RDI: ffffc1d91f557b08
      RBP: ffffc1d91f557d90 R08: ffff9c340cc80000 R09: ffff9c2c0f901900
      R10: 0000000000000000 R11: 0000000000000001 R12: deacffffffffff30
      R13: ffff9c5a48aeec00 R14: ffffc1d91f557c30 R15: ffff9c5c2eea3688
      FS: 0000000000000000(0000) GS:ffff9c5c2fa80000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00002b5cc03fa320 CR3: 0000003f8500a000 CR4: 00000000003406e0
      Call Trace:
      ? rdma_addr_cancel+0xa0/0xa0 [ib_core]
      ? cm_process_work+0x28/0x140 [ib_cm]
      cm_process_work+0x28/0x140 [ib_cm]
      ? cm_get_bth_pkey.isra.44+0x34/0xa0 [ib_cm]
      cm_work_handler+0xa06/0x1a6f [ib_cm]
      ? __switch_to_asm+0x34/0x70
      ? __switch_to_asm+0x34/0x70
      ? __switch_to_asm+0x40/0x70
      ? __switch_to_asm+0x34/0x70
      ? __switch_to_asm+0x40/0x70
      ? __switch_to_asm+0x34/0x70
      ? __switch_to_asm+0x40/0x70
      ? __switch_to+0x7c/0x4b0
      ? __switch_to_asm+0x40/0x70
      ? __switch_to_asm+0x34/0x70
      process_one_work+0x1da/0x400
      worker_thread+0x2b/0x3f0
      ? process_one_work+0x400/0x400
      kthread+0x118/0x140
      ? kthread_create_on_node+0x40/0x40
      ret_from_fork+0x22/0x40
      Code: 00 66 83 f8 02 0f 84 ca 05 00 00 49 8b 84 24 d0 01 00 00 48 85 c0 0f 84 68 07 00 00 48 2d d0 01
      00 00 49 89 c4 0f 84 59 07 00 00 <41> 0f b7 44 24 20 49 8b 77 50 66 83 f8 0a 75 9e 49 8b 7c 24 28
    
    Fixes: 4c21b5bc ("IB/cma: Add net_dev and private data checks to RDMA CM")
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarMark Zhang <[email protected]>
    Reviewed-by: default avatarMaor Gottlieb <[email protected]>
    Signed-off-by: default avatarLeon Romanovsky <[email protected]>
    Signed-off-by: default avatarJason Gunthorpe <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    f58b7bce
  • Qiushi Wu's avatar
    ASoC: rockchip: Fix a reference count leak. · 5d7271de
    Qiushi Wu authored
    [ Upstream commit f141a422 ]
    
    Calling pm_runtime_get_sync increments the counter even in case of
    failure, causing incorrect ref count if pm_runtime_put is not called in
    error handling paths. Call pm_runtime_put if pm_runtime_get_sync fails.
    
    Fixes: fc05a5b2 ("ASoC: rockchip: add support for pdm controller")
    Signed-off-by: default avatarQiushi Wu <[email protected]>
    Reviewed-by: default avatarHeiko Stuebner <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarMark Brown <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    5d7271de
  • Fan Guo's avatar
    RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() · f83bc27f
    Fan Guo authored
    [ Upstream commit a17f4bed ]
    
    If ib_dma_mapping_error() returns non-zero value,
    ib_mad_post_receive_mads() will jump out of loops and return -ENOMEM
    without freeing mad_priv. Fix this memory-leak problem by freeing mad_priv
    in this case.
    
    Fixes: 2c34e68f ("IB/mad: Check and handle potential DMA mapping errors")
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarFan Guo <[email protected]>
    Signed-off-by: default avatarJason Gunthorpe <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    f83bc27f
  • Alexander Lobakin's avatar
    net: qed: fix left elements count calculation · 2d11f5da
    Alexander Lobakin authored
    [ Upstream commit 97dd1abd ]
    
    qed_chain_get_element_left{,_u32} returned 0 when the difference
    between producer and consumer page count was equal to the total
    page count.
    Fix this by conditional expanding of producer value (vs
    unconditional). This allowed to eliminate normalizaton against
    total page count, which was the cause of this bug.
    
    Misc: replace open-coded constants with common defines.
    
    Fixes: a91eb52a ("qed: Revisit chain implementation")
    Signed-off-by: default avatarAlexander Lobakin <[email protected]>
    Signed-off-by: default avatarIgor Russkikh <[email protected]>
    Signed-off-by: default avatarMichal Kalderon <[email protected]om>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    2d11f5da
  • Alexander Lobakin's avatar
    net: qed: fix NVMe login fails over VFs · 24aa3361
    Alexander Lobakin authored
    [ Upstream commit ccd7c7ce ]
    
    25ms sleep cycles in waiting for PF response are excessive and may lead
    to different timeout failures.
    
    Start to wait with short udelays, and in most cases polling will end
    here. If the time was not sufficient, switch to msleeps.
    usleep_range() may go far beyond 100us depending on platform and tick
    configuration, hence atomic udelays for consistency.
    
    Also add explicit DMA barriers since 'done' always comes from a shared
    request-response DMA pool, and note that in the comment nearby.
    
    Fixes: 1408cc1f ("qed: Introduce VFs")
    Signed-off-by: default avatarAlexander Lobakin <[email protected]>
    Signed-off-by: default avatarIgor Russkikh <[email protected]>
    Signed-off-by: default avatarMichal Kalderon <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    24aa3361
  • Alexander Lobakin's avatar
    net: qed: fix excessive QM ILT lines consumption · 907140fe
    Alexander Lobakin authored
    [ Upstream commit d434d02f ]
    
    This is likely a copy'n'paste mistake. The amount of ILT lines to
    reserve for a single VF was being multiplied by the total VFs count.
    This led to a huge redundancy in reservation and potential lines
    drainouts.
    
    Fixes: 1408cc1f ("qed: Introduce VFs")
    Signed-off-by: default avatarAlexander Lobakin <[email protected]>
    Signed-off-by: default avatarIgor Russkikh <[email protected]>
    Signed-off-by: default avatarMichal Kalderon <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    907140fe
  • yu kuai's avatar
    ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() · 651db7ab
    yu kuai authored
    [ Upstream commit 586745f1 ]
    
    if of_find_device_by_node() succeed, imx_suspend_alloc_ocram() doesn't
    have a corresponding put_device(). Thus add a jump target to fix the
    exception handling for this function implementation.
    
    Fixes: 1579c7b9 ("ARM: imx53: Set DDR pins to high impedance when in suspend to RAM.")
    Signed-off-by: default avataryu kuai <[email protected]>
    Signed-off-by: default avatarShawn Guo <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    651db7ab
  • Dan Carpenter's avatar
    usb: gadget: udc: Potential Oops in error handling code · 9ad40ca6
    Dan Carpenter authored
    [ Upstream commit e55f3c37 ]
    
    If this is in "transceiver" mode the the ->qwork isn't required and is
    a NULL pointer.  This can lead to a NULL dereference when we call
    destroy_workqueue(udc->qwork).
    
    Fixes: 3517c31a ("usb: gadget: mv_udc: use devm_xxx for probe")
    Signed-off-by: default avatarDan Carpenter <[email protected]>
    Signed-off-by: default avatarFelipe Balbi <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    9ad40ca6
  • Russell King's avatar
    netfilter: ipset: fix unaligned atomic access · 4f55217a
    Russell King authored
    [ Upstream commit 71502846 ]
    
    When using ip_set with counters and comment, traffic causes the kernel
    to panic on 32-bit ARM:
    
    Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
    Unhandled fault: alignment exception (0x221) at 0xea08133c
    PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
    
    The problem occurs when we try to update the 64-bit counters - the
    faulting address above is not 64-bit aligned.  The problem occurs
    due to the way elements are allocated, for example:
    
    	set->dsize = ip_set_elem_len(set, tb, 0, 0);
    	map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
    
    If the element has a requirement for a member to be 64-bit aligned,
    and set->dsize is not a multiple of 8, but is a multiple of four,
    then every odd numbered elements will be misaligned - and hitting
    an atomic64_add() on that element will cause the kernel to panic.
    
    ip_set_elem_len() must return a size that is rounded to the maximum
    alignment of any extension field stored in the element.  This change
    ensures that is the case.
    
    Fixes: 95ad1f4a ("netfilter: ipset: Fix extension alignment")
    Signed-off-by: default avatarRussell King <[email protected]>
    Acked-by: default avatarJozsef Kadlecsik <[email protected]>
    Signed-off-by: default avatarPablo Neira Ayuso <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    4f55217a
  • Doug Berger's avatar
    net: bcmgenet: use hardware padding of runt frames · faba5d00
    Doug Berger authored
    [ Upstream commit 20d1f2d1 ]
    
    When commit 474ea9ca ("net: bcmgenet: correctly pad short
    packets") added the call to skb_padto() it should have been
    located before the nr_frags parameter was read since that value
    could be changed when padding packets with lengths between 55
    and 59 bytes (inclusive).
    
    The use of a stale nr_frags value can cause corruption of the
    pad data when tx-scatter-gather is enabled. This corruption of
    the pad can cause invalid checksum computation when hardware
    offload of tx-checksum is also enabled.
    
    Since the original reason for the padding was corrected by
    commit 7dd39913 ("net: bcmgenet: fix skb_len in
    bcmgenet_xmit_single()") we can remove the software padding all
    together and make use of hardware padding of short frames as
    long as the hardware also always appends the FCS value to the
    frame.
    
    Fixes: 474ea9ca ("net: bcmgenet: correctly pad short packets")
    Signed-off-by: default avatarDoug Berger <[email protected]>
    Acked-by: default avatarFlorian Fainelli <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    faba5d00
  • Juri Lelli's avatar
    sched/core: Fix PI boosting between RT and DEADLINE tasks · ec18e04c
    Juri Lelli authored
    [ Upstream commit 740797ce ]
    
    syzbot reported the following warning:
    
     WARNING: CPU: 1 PID: 6351 at kernel/sched/deadline.c:628
     enqueue_task_dl+0x22da/0x38a0 kernel/sched/deadline.c:1504
    
    At deadline.c:628 we have:
    
     623 static inline void setup_new_dl_entity(struct sched_dl_entity *dl_se)
     624 {
     625 	struct dl_rq *dl_rq = dl_rq_of_se(dl_se);
     626 	struct rq *rq = rq_of_dl_rq(dl_rq);
     627
     628 	WARN_ON(dl_se->dl_boosted);
     629 	WARN_ON(dl_time_before(rq_clock(rq), dl_se->deadline));
            [...]
         }
    
    Which means that setup_new_dl_entity() has been called on a task
    currently boosted. This shouldn't happen though, as setup_new_dl_entity()
    is only called when the 'dynamic' deadline of the new entity
    is in the past w.r.t. rq_clock and boosted tasks shouldn't verify this
    condition.
    
    Digging through the PI code I noticed that what above might in fact happen
    if an RT tasks blocks on an rt_mutex hold by a DEADLINE task. In the
    first branch of boosting conditions we check only if a pi_task 'dynamic'
    deadline is earlier than mutex holder's and in this case we set mutex
    holder to be dl_boosted. However, since RT 'dynamic' deadlines are only
    initialized if such tasks get boosted at some point (or if they become
    DEADLINE of course), in general RT 'dynamic' deadlines are usually equal
    to 0 and this verifies the aforementioned condition.
    
    Fix it by checking that the potential donor task is actually (even if
    temporary because in turn boosted) running at DEADLINE priority before
    using its 'dynamic' deadline value.
    
    Fixes: 2d3d891d ("sched/deadline: Add SCHED_DEADLINE inheritance logic")
    Reported-by: [email protected]
    Signed-off-by: default avatarJuri Lelli <[email protected]>
    Signed-off-by: default avatarPeter Zijlstra (Intel) <[email protected]>
    Signed-off-by: default avatarIngo Molnar <[email protected]>
    Reviewed-by: default avatarDaniel Bristot de Oliveira <[email protected]>
    Tested-by: default avatarDaniel Wagner <[email protected]>
    Link: https://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarSasha Levin <[email protected]>
    ec18e04c
  • Ye Bin's avatar
    ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function · 320c6ed3
    Ye Bin authored
    [ Upstream commit f650ef61 ]
    
    BUG: KASAN: use-after-free in ata_scsi_mode_select_xlat+0x10bd/0x10f0
    drivers/ata/libata-scsi.c:4045
    Read of size 1 at addr ffff88803b8cd003 by task syz-executor.6/12621
    
    CPU: 1 PID: 12621 Comm: syz-executor.6 Not tainted 4.19.95 #1
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
    1.10.2-1ubuntu1 04/01/2014
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0xac/0xee lib/dump_stack.c:118
    print_address_description+0x60/0x223 mm/kasan/report.c:253
    kasan_report_error mm/kasan/report.c:351 [inline]
    kasan_report mm/kasan/report.c:409 [inline]
    kasan_report.cold+0xae/0x2d8 mm/kasan/report.c:393
    ata_scsi_mode_select_xlat+0x10bd/0x10f0 drivers/ata/libata-scsi.c:4045
    ata_scsi_translate+0x2da/0x680 drivers/ata/libata-scsi.c:2035
    __ata_scsi_queuecmd drivers/ata/libata-scsi.c:4360 [inline]
    ata_scsi_queuecmd+0x2e4/0x790 drivers/ata/libata-scsi.c:4409
    scsi_dispatch_cmd+0x2ee/0x6c0 drivers/scsi/scsi_lib.c:1867
    scsi_queue_rq+0xfd7/0x1990 drivers/scsi/scsi_lib.c:2170
    blk_mq_dispatch_rq_list+0x1e1/0x19a0 block/blk-mq.c:1186
    blk_mq_do_dispatch_sched+0x147/0x3d0 block/blk-mq-sched.c:108
    blk_mq_sched_dispatch_requests+0x427/0x680 block/blk-mq-sched.c:204
    __blk_mq_run_hw_queue+0xbc/0x200 block/blk-mq.c:1308
    __blk_mq_delay_run_hw_queue+0x3c0/0x460 block/blk-mq.c:1376
    blk_mq_run_hw_queue+0x152/0x310 block/blk-mq.c:1413
    blk_mq_sched_insert_request+0x337/0x6c0 block/blk-mq-sched.c:397
    blk_execute_rq_nowait+0x124/0x320 block/blk-exec.c:64
    blk_execute_rq+0xc5/0x112 block/blk-exec.c:101
    sg_scsi_ioctl+0x3b0/0x6a0 block/scsi_ioctl.c:507
    sg_ioctl+0xd37/0x23f0 drivers/scsi/sg.c:1106
    vfs_ioctl fs/ioctl.c:46 [inline]
    file_ioctl fs/ioctl.c:501 [inline]
    do_vfs_ioctl+0xae6/0x1030 fs/ioctl.c:688
    ksys_ioctl+0x76/0xa0 fs/ioctl.c:705
    __do_sys_ioctl fs/ioctl.c:712 [inline]
    __se_sys_ioctl fs/ioctl.c:710 [inline]
    __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:710
    do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
    entry_SYSCALL_64_after_hwframe+0x44/0xa9
    RIP: 0033:0x45c479
    Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89
    f7 48
    89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
    ff 0f
    83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007fb0e9602c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
    RAX: ffffffffffffffda RBX: 00007fb0e96036d4 RCX: 000000000045c479
    RDX: 0000000020000040 RSI: 0000000000000001 RDI: 0000000000000003
    RBP: 000000000076bfc0 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
    R13: 000000000000046d R14: 00000000004c6e1a R15: 000000000076bfcc
    
    Allocated by task 12577:
    set_track mm/kasan/kasan.c:460 [inline]
    kasan_kmalloc mm/kasan/kasan.c:553 [inline]
    kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
    __kmalloc+0xf3/0x1e0 mm/slub.c:3749
    kmalloc include/linux/slab.h:520 [inline]
    load_elf_phdrs+0x118/0x1b0 fs/binfmt_elf.c:441
    load_elf_binary+0x2de/0x4610 fs/binfmt_elf.c:737
    search_binary_handler fs/exec.c:1654 [inline]
    search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
    exec_binprm fs/exec.c:1696 [inline]
    __do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
    do_execveat_common fs/exec.c:1866 [inline]
    do_execve fs/exec.c:1883 [inline]
    __do_sys_execve fs/exec.c:1964 [inline]
    __se_sys_execve fs/exec.c:1959 [inline]
    __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
    do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
    entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    Freed by task 12577:
    set_track mm/kasan/kasan.c:460 [inline]
    __kasan_slab_free+0x129/0x170 mm/kasan/kasan.c:521
    slab_free_hook mm/slub.c:1370 [inline]
    slab_free_freelist_hook mm/slub.c:1397 [inline]
    slab_free mm/slub.c:2952 [inline]
    kfree+0x8b/0x1a0 mm/slub.c:3904
    load_elf_binary+0x1be7/0x4610 fs/binfmt_elf.c:1118
    search_binary_handler fs/exec.c:1654 [inline]
    search_binary_handler+0x15c/0x4e0 fs/exec.c:1632
    exec_binprm fs/exec.c:1696 [inline]
    __do_execve_file.isra.0+0xf52/0x1a90 fs/exec.c:1820
    do_execveat_common fs/exec.c:1866 [inline]
    do_execve fs/exec.c:1883 [inline]
    __do_sys_execve fs/exec.c:1964 [inline]
    __se_sys_execve fs/exec.c:1959 [inline]
    __x64_sys_execve+0x8a/0xb0 fs/exec.c:1959
    do_syscall_64+0xa0/0x2e0 arch/x86/entry/common.c:293
    entry_SYSCALL_64_after_hwframe+0x44/0xa9
    
    The buggy address belongs to the object at ffff88803b8ccf00
    which belongs to the cache kmalloc-512 of size 512
    The buggy address is located 259 bytes inside of
    512-byte region [ffff88803b8ccf00, ffff88803b8cd100)
    The buggy address belongs to the page:
    page:ffffea0000ee3300 count:1 mapcount:0 mapping:ffff88806cc03080
    index:0xffff88803b8cc780 compound_mapcount: 0
    flags: 0x100000000008100(slab|head)
    raw: 0100000000008100 ffffea0001104080 0000000200000002 ffff88806cc03080
    raw: ffff88803b8cc780 00000000800c000b 00000001ffffffff 0000000000000000
    page dumped because: kasan: bad access detected
    
    Memory state around the buggy address:
    ffff88803b8ccf00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ffff88803b8ccf80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    >ffff88803b8cd000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ^
    ffff88803b8cd080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
    ffff88803b8cd100: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
    
    You can refer to "https://www.lkml.org/lkml/2019/1/17/474" reproduce
    this error.
    
    The exception code is "bd_len = p[3];", "p" value is ffff88803b8cd000
    which belongs to the cache kmalloc-512 of size 512. The "page_address(sg_page(scsi_sglist(scmd)))"
    maybe from sg_scsi_ioctl function "buffer" which allocated by kzalloc, so "buffer"
    may not page aligned.
    This also looks completely buggy on highmem systems and really needs to use a
    kmap_atomic.      --Christoph Hellwig
    To address above bugs, Paolo Bonzini advise to simpler to just make a char array
    of size CACHE_MPAGE_LEN+8+8+4-2(or just 64 to make it easy), use sg_copy_to_buffer
    to copy from the sglist into the buffer, and workthere.
    Signed-off-by: default avatarYe Bin <[email protected]>
    Signed-off-by: default avatarJens Axboe <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    320c6ed3
  • Zekun Shen's avatar
    net: alx: fix race condition in alx_remove · 3f8c89f0
    Zekun Shen authored
    [ Upstream commit e89df5c4 ]
    
    There is a race condition exist during termination. The path is
    alx_stop and then alx_remove. An alx_schedule_link_check could be called
    before alx_stop by interrupt handler and invoke alx_link_check later.
    Alx_stop frees the napis, and alx_remove cancels any pending works.
    If any of the work is scheduled before termination and invoked before
    alx_remove, a null-ptr-deref occurs because both expect alx->napis[i].
    
    This patch fix the race condition by moving cancel_work_sync functions
    before alx_free_napis inside alx_stop. Because interrupt handler can call
    alx_schedule_link_check again, alx_free_irq is moved before
    cancel_work_sync calls too.
    Signed-off-by: default avatarZekun Shen <[email protected]>
    Signed-off-by: default avatarDavid S. Miller <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    3f8c89f0
  • Sven Schnelle's avatar
    s390/ptrace: fix setting syscall number · afa6441c
    Sven Schnelle authored
    [ Upstream commit 873e5a76 ]
    
    When strace wants to update the syscall number, it sets GPR2
    to the desired number and updates the GPR via PTRACE_SETREGSET.
    It doesn't update regs->int_code which would cause the old syscall
    executed on syscall restart. As we cannot change the ptrace ABI and
    don't have a field for the interruption code, check whether the tracee
    is in a syscall and the last instruction was svc. In that case assume
    that the tracer wants to update the syscall number and copy the GPR2
    value to regs->int_code.
    Signed-off-by: default avatarSven Schnelle <[email protected]>
    Signed-off-by: default avatarVasily Gorbik <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    afa6441c
  • Masahiro Yamada's avatar
    kbuild: improve cc-option to clean up all temporary files · 94b69ace
    Masahiro Yamada authored
    [ Upstream commit f2f02ebd ]
    
    When cc-option and friends evaluate compiler flags, the temporary file
    $$TMP is created as an output object, and automatically cleaned up.
    The actual file path of $$TMP is .<pid>.tmp, here <pid> is the process
    ID of $(shell ...) invoked from cc-option. (Please note $$$$ is the
    escape sequence of $$).
    
    Such garbage files are cleaned up in most cases, but some compiler flags
    create additional output files.
    
    For example, -gsplit-dwarf creates a .dwo file.
    
    When CONFIG_DEBUG_INFO_SPLIT=y, you will see a bunch of .<pid>.dwo files
    left in the top of build directories. You may not notice them unless you
    do 'ls -a', but the garbage files will increase every time you run 'make'.
    
    This commit changes the temporary object path to .tmp_<pid>/tmp, and
    removes .tmp_<pid> directory when exiting. Separate build artifacts such
    as *.dwo will be cleaned up all together because their file paths are
    usually determined based on the base name of the object.
    
    Another example is -ftest-coverage, which outputs the coverage data into
    <base-name-of-object>.gcno
    Signed-off-by: default avatarMasahiro Yamada <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    94b69ace
  • Luis Chamberlain's avatar
    blktrace: break out of blktrace setup on concurrent calls · 06d00ea4
    Luis Chamberlain authored
    [ Upstream commit 1b0b2836 ]
    
    We use one blktrace per request_queue, that means one per the entire
    disk.  So we cannot run one blktrace on say /dev/vda and then /dev/vda1,
    or just two calls on /dev/vda.
    
    We check for concurrent setup only at the very end of the blktrace setup though.
    
    If we try to run two concurrent blktraces on the same block device the
    second one will fail, and the first one seems to go on. However when
    one tries to kill the first one one will see things like this:
    
    The kernel will show these:
    
    ```
    debugfs: File 'dropped' in directory 'nvme1n1' already present!
    debugfs: File 'msg' in directory 'nvme1n1' already present!
    debugfs: File 'trace0' in directory 'nvme1n1' already present!
    ``
    
    And userspace just sees this error message for the second call:
    
    ```
    blktrace /dev/nvme1n1
    BLKTRACESETUP(2) /dev/nvme1n1 failed: 5/Input/output error
    ```
    
    The first userspace process #1 will also claim that the files
    were taken underneath their nose as well. The files are taken
    away form the first process given that when the second blktrace
    fails, it will follow up with a BLKTRACESTOP and BLKTRACETEARDOWN.
    This means that even if go-happy process #1 is waiting for blktrace
    data, we *have* been asked to take teardown the blktrace.
    
    This can easily be reproduced with break-blktrace [0] run_0005.sh test.
    
    Just break out early if we know we're already going to fail, this will
    prevent trying to create the files all over again, which we know still
    exist.
    
    [0] https://github.com/mcgrof/break-blktraceSigned-off-by: default avatarLuis Chamberlain <[email protected]>
    Signed-off-by: default avatarJan Kara <[email protected]>
    Reviewed-by: default avatarBart Van Assche <[email protected]>
    Reviewed-by: default avatarChristoph Hellwig <[email protected]>
    Signed-off-by: default avatarJens Axboe <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    06d00ea4
  • Aaron Plattner's avatar
    ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table · 782c0119
    Aaron Plattner authored
    commit adb36a82 upstream.
    
    These IDs are for upcoming NVIDIA chips with audio functions that are largely
    similar to the existing ones.
    Signed-off-by: default avatarAaron Plattner <[email protected]>
    Cc: <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarTakashi Iwai <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    782c0119
  • Nathan Chancellor's avatar
    ACPI: sysfs: Fix pm_profile_attr type · 0e66857b
    Nathan Chancellor authored
    commit e6d701dc upstream.
    
    When running a kernel with Clang's Control Flow Integrity implemented,
    there is a violation that happens when accessing
    /sys/firmware/acpi/pm_profile:
    
    $ cat /sys/firmware/acpi/pm_profile
    0
    
    $ dmesg
    ...
    [   17.352564] ------------[ cut here ]------------
    [   17.352568] CFI failure (target: acpi_show_profile+0x0/0x8):
    [   17.352572] WARNING: CPU: 3 PID: 497 at kernel/cfi.c:29 __cfi_check_fail+0x33/0x40
    [   17.352573] Modules linked in:
    [   17.352575] CPU: 3 PID: 497 Comm: cat Tainted: G        W         5.7.0-microsoft-standard+ #1
    [   17.352576] RIP: 0010:__cfi_check_fail+0x33/0x40
    [   17.352577] Code: 48 c7 c7 50 b3 85 84 48 c7 c6 50 0a 4e 84 e8 a4 d8 60 00 85 c0 75 02 5b c3 48 c7 c7 dc 5e 49 84 48 89 de 31 c0 e8 7d 06 eb ff <0f> 0b 5b c3 00 00 cc cc 00 00 cc cc 00 85 f6 74 25 41 b9 ea ff ff
    [   17.352577] RSP: 0018:ffffaa6dc3c53d30 EFLAGS: 00010246
    [   17.352578] RAX: 331267e0c06cee00 RBX: ffffffff83d85890 RCX: ffffffff8483a6f8
    [   17.352579] RDX: ffff9cceabbb37c0 RSI: 0000000000000082 RDI: ffffffff84bb9e1c
    [   17.352579] RBP: ffffffff845b2bc8 R08: 0000000000000001 R09: ffff9cceabbba200
    [   17.352579] R10: 000000000000019d R11: 0000000000000000 R12: ffff9cc947766f00
    [   17.352580] R13: ffffffff83d6bd50 R14: ffff9ccc6fa80000 R15: ffffffff845bd328
    [   17.352582] FS:  00007fdbc8d13580(0000) GS:ffff9cce91ac0000(0000) knlGS:0000000000000000
    [   17.352582] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [   17.352583] CR2: 00007fdbc858e000 CR3: 00000005174d0000 CR4: 0000000000340ea0
    [   17.352584] Call Trace:
    [   17.352586]  ? rev_id_show+0x8/0x8
    [   17.352587]  ? __cfi_check+0x45bac/0x4b640
    [   17.352589]  ? kobj_attr_show+0x73/0x80
    [   17.352590]  ? sysfs_kf_seq_show+0xc1/0x140
    [   17.352592]  ? ext4_seq_options_show.cfi_jt+0x8/0x8
    [   17.352593]  ? seq_read+0x180/0x600
    [   17.352595]  ? sysfs_create_file_ns.cfi_jt+0x10/0x10
    [   17.352596]  ? tlbflush_read_file+0x8/0x8
    [   17.352597]  ? __vfs_read+0x6b/0x220
    [   17.352598]  ? handle_mm_fault+0xa23/0x11b0
    [   17.352599]  ? vfs_read+0xa2/0x130
    [   17.352599]  ? ksys_read+0x6a/0xd0
    [   17.352601]  ? __do_sys_getpgrp+0x8/0x8
    [   17.352602]  ? do_syscall_64+0x72/0x120
    [   17.352603]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [   17.352604] ---[ end trace 7b1fa81dc897e419 ]---
    
    When /sys/firmware/acpi/pm_profile is read, sysfs_kf_seq_show is called,
    which in turn calls kobj_attr_show, which gets the ->show callback
    member by calling container_of on attr (casting it to struct
    kobj_attribute) then calls it.
    
    There is a CFI violation because pm_profile_attr is of type
    struct device_attribute but kobj_attr_show calls ->show expecting it
    to be from struct kobj_attribute. CFI checking ensures that function
    pointer types match when doing indirect calls. Fix pm_profile_attr to
    be defined in terms of kobj_attribute so there is no violation or
    mismatch.
    
    Fixes: 362b6460 ("ACPI: Export FADT pm_profile integer value to userspace")
    Link: https://github.com/ClangBuiltLinux/linux/issues/1051Reported-by: default avataryuu ichii <[email protected]>
    Signed-off-by: Nathan Chancellor's avatarNathan Chancellor <[email protected]>
    Cc: 3.10+ <[email protected]> # 3.10+
    Signed-off-by: default avatarRafael J. Wysocki <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    0e66857b
  • Xiaoyao Li's avatar
    KVM: X86: Fix MSR range of APIC registers in X2APIC mode · 8f0b24bc
    Xiaoyao Li authored
    commit bf10bd0b upstream.
    
    Only MSR address range 0x800 through 0x8ff is architecturally reserved
    and dedicated for accessing APIC registers in x2APIC mode.
    
    Fixes: 0105d1a5 ("KVM: x2apic interface to lapic")
    Signed-off-by: default avatarXiaoyao Li <[email protected]>
    Message-Id: <[email protected]>
    Cc: [email protected]
    Reviewed-by: default avatarSean Christopherson <[email protected]>
    Reviewed-by: default avatarJim Mattson <[email protected]>
    Signed-off-by: default avatarPaolo Bonzini <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    8f0b24bc
  • Sean Christopherson's avatar
    KVM: nVMX: Plumb L2 GPA through to PML emulation · d0b5da24
    Sean Christopherson authored
    commit 2dbebf7a upstream.
    
    Explicitly pass the L2 GPA to kvm_arch_write_log_dirty(), which for all
    intents and purposes is vmx_write_pml_buffer(), instead of having the
    latter pull the GPA from vmcs.GUEST_PHYSICAL_ADDRESS.  If the dirty bit
    update is the result of KVM emulation (rare for L2), then the GPA in the
    VMCS may be stale and/or hold a completely unrelated GPA.
    
    Fixes: c5f983f6 ("nVMX: Implement emulated Page Modification Logging")
    Cc: [email protected]
    Signed-off-by: default avatarSean Christopherson <[email protected]>
    Message-Id: <[email protected]>
    Signed-off-by: default avatarPaolo Bonzini <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    d0b5da24
  • Filipe Manana's avatar
    btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof · b8c2bdd7
    Filipe Manana authored
    commit 4b194628 upstream.
    
    If we attempt to write to prealloc extent located after eof using a
    RWF_NOWAIT write, we always fail with -EAGAIN.
    
    We do actually check if we have an allocated extent for the write at
    the start of btrfs_file_write_iter() through a call to check_can_nocow(),
    but later when we go into the actual direct IO write path we simply
    return -EAGAIN if the write starts at or beyond EOF.
    
    Trivial to reproduce:
    
      $ mkfs.btrfs -f /dev/sdb
      $ mount /dev/sdb /mnt
    
      $ touch /mnt/foo
      $ chattr +C /mnt/foo
    
      $ xfs_io -d -c "pwrite -S 0xab 0 64K" /mnt/foo
      wrote 65536/65536 bytes at offset 0
      64 KiB, 16 ops; 0.0004 sec (135.575 MiB/sec and 34707.1584 ops/sec)
    
      $ xfs_io -c "falloc -k 64K 1M" /mnt/foo
    
      $ xfs_io -d -c "pwrite -N -V 1 -S 0xfe -b 64K 64K 64K" /mnt/foo
      pwrite: Resource temporarily unavailable
    
    On xfs and ext4 the write succeeds, as expected.
    
    Fix this by removing the wrong check at btrfs_direct_IO().
    
    Fixes: edf064e7 ("btrfs: nowait aio support")
    CC: [email protected] # 4.14+
    Signed-off-by: default avatarFilipe Manana <[email protected]>
    Reviewed-by: default avatarDavid Sterba <[email protected]>
    Signed-off-by: default avatarDavid Sterba <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    b8c2bdd7
  • Waiman Long's avatar
    mm/slab: use memzero_explicit() in kzfree() · 5996c009
    Waiman Long authored
    commit 8982ae52 upstream.
    
    The kzfree() function is normally used to clear some sensitive
    information, like encryption keys, in the buffer before freeing it back to
    the pool.  Memset() is currently used for buffer clearing.  However
    unlikely, there is still a non-zero probability that the compiler may
    choose to optimize away the memory clearing especially if LTO is being
    used in the future.
    
    To make sure that this optimization will never happen,
    memzero_explicit(), which is introduced in v3.18, is now used in
    kzfree() to future-proof it.
    
    Link: http://lkml.kernel.org/r/[email protected]
    Fixes: 3ef0e5ba ("slab: introduce kzfree()")
    Signed-off-by: Waiman Long's avatarWaiman Long <[email protected]>
    Acked-by: default avatarMichal Hocko <[email protected]>
    Cc: David Howells <[email protected]>
    Cc: Jarkko Sakkinen <[email protected]>
    Cc: James Morris <[email protected]>
    Cc: "Serge E. Hallyn" <[email protected]>
    Cc: Joe Perches <[email protected]>
    Cc: Matthew Wilcox <[email protected]>
    Cc: David Rientjes <[email protected]>
    Cc: Johannes Weiner <[email protected]>
    Cc: Dan Carpenter <[email protected]>
    Cc: "Jason A . Donenfeld" <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: default avatarAndrew Morton <[email protected]>
    Signed-off-by: default avatarLinus Torvalds <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    5996c009
  • Junxiao Bi's avatar
    ocfs2: load global_inode_alloc · 4e168ac1
    Junxiao Bi authored
    commit 7569d3c7 upstream.
    
    Set global_inode_alloc as OCFS2_FIRST_ONLINE_SYSTEM_INODE, that will
    make it load during mount.  It can be used to test whether some
    global/system inodes are valid.  One use case is that nfsd will test
    whether root inode is valid.
    
    Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarJunxiao Bi <[email protected]>
    Reviewed-by: default avatarJoseph Qi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Gang He <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: default avatarAndrew Morton <[email protected]>
    Signed-off-by: default avatarLinus Torvalds <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    4e168ac1
  • Junxiao Bi's avatar
    ocfs2: fix value of OCFS2_INVALID_SLOT · 7e7e0232
    Junxiao Bi authored
    commit 9277f833 upstream.
    
    In the ocfs2 disk layout, slot number is 16 bits, but in ocfs2
    implementation, slot number is 32 bits.  Usually this will not cause any
    issue, because slot number is converted from u16 to u32, but
    OCFS2_INVALID_SLOT was defined as -1, when an invalid slot number from
    disk was obtained, its value was (u16)-1, and it was converted to u32.
    Then the following checking in get_local_system_inode will be always
    skipped:
    
     static struct inode **get_local_system_inode(struct ocfs2_super *osb,
                                                   int type,
                                                   u32 slot)
     {
     	BUG_ON(slot == OCFS2_INVALID_SLOT);
    	...
     }
    
    Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarJunxiao Bi <[email protected]>
    Reviewed-by: default avatarJoseph Qi <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Gang He <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: default avatarAndrew Morton <[email protected]>
    Signed-off-by: default avatarLinus Torvalds <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    7e7e0232
  • Junxiao Bi's avatar
    ocfs2: fix panic on nfs server over ocfs2 · eddba903
    Junxiao Bi authored
    commit e5a15e17 upstream.
    
    The following kernel panic was captured when running nfs server over
    ocfs2, at that time ocfs2_test_inode_bit() was checking whether one
    inode locating at "blkno" 5 was valid, that is ocfs2 root inode, its
    "suballoc_slot" was OCFS2_INVALID_SLOT(65535) and it was allocted from
    //global_inode_alloc, but here it wrongly assumed that it was got from per
    slot inode alloctor which would cause array overflow and trigger kernel
    panic.
    
      BUG: unable to handle kernel paging request at 0000000000001088
      IP: [<ffffffff816f6898>] _raw_spin_lock+0x18/0xf0
      PGD 1e06ba067 PUD 1e9e7d067 PMD 0
      Oops: 0002 [#1] SMP
      CPU: 6 PID: 24873 Comm: nfsd Not tainted 4.1.12-124.36.1.el6uek.x86_64 #2
      Hardware name: Huawei CH121 V3/IT11SGCA1, BIOS 3.87 02/02/2018
      RIP: _raw_spin_lock+0x18/0xf0
      RSP: e02b:ffff88005ae97908  EFLAGS: 00010206
      RAX: ffff88005ae98000 RBX: 0000000000001088 RCX: 0000000000000000
      RDX: 0000000000020000 RSI: 0000000000000009 RDI: 0000000000001088
      RBP: ffff88005ae97928 R08: 0000000000000000 R09: ffff880212878e00
      R10: 0000000000007ff0 R11: 0000000000000000 R12: 0000000000001088
      R13: ffff8800063c0aa8 R14: ffff8800650c27d0 R15: 000000000000ffff
      FS:  0000000000000000(0000) GS:ffff880218180000(0000) knlGS:ffff880218180000
      CS:  e033 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000001088 CR3: 00000002033d0000 CR4: 0000000000042660
      Call Trace:
        igrab+0x1e/0x60
        ocfs2_get_system_file_inode+0x63/0x3a0 [ocfs2]
        ocfs2_test_inode_bit+0x328/0xa00 [ocfs2]
        ocfs2_get_parent+0xba/0x3e0 [ocfs2]
        reconnect_path+0xb5/0x300
        exportfs_decode_fh+0xf6/0x2b0
        fh_verify+0x350/0x660 [nfsd]
        nfsd4_putfh+0x4d/0x60 [nfsd]
        nfsd4_proc_compound+0x3d3/0x6f0 [nfsd]
        nfsd_dispatch+0xe0/0x290 [nfsd]
        svc_process_common+0x412/0x6a0 [sunrpc]
        svc_process+0x123/0x210 [sunrpc]
        nfsd+0xff/0x170 [nfsd]
        kthread+0xcb/0xf0
        ret_from_fork+0x61/0x90
      Code: 83 c2 02 0f b7 f2 e8 18 dc 91 ff 66 90 eb bf 0f 1f 40 00 55 48 89 e5 41 56 41 55 41 54 53 0f 1f 44 00 00 48 89 fb ba 00 00 02 00 <f0> 0f c1 17 89 d0 45 31 e4 45 31 ed c1 e8 10 66 39 d0 41 89 c6
      RIP   _raw_spin_lock+0x18/0xf0
      CR2: 0000000000001088
      ---[ end trace 7264463cd1aac8f9 ]---
      Kernel panic - not syncing: Fatal exception
    
    Link: http://lkml.kernel.org/r/[email protected]Signed-off-by: default avatarJunxiao Bi <[email protected]>
    Reviewed-by: default avatarJoseph Qi <[email protected]>
    Cc: Changwei Ge <[email protected]>
    Cc: Gang He <[email protected]>
    Cc: Joel Becker <[email protected]>
    Cc: Jun Piao <[email protected]>
    Cc: Mark Fasheh <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: default avatarAndrew Morton <[email protected]>
    Signed-off-by: default avatarLinus Torvalds <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    eddba903
  • Jiping Ma's avatar
    arm64: perf: Report the PC value in REGS_ABI_32 mode · e6ceb8c2
    Jiping Ma authored
    commit 8dfe804a upstream.
    
    A 32-bit perf querying the registers of a compat task using REGS_ABI_32
    will receive zeroes from w15, when it expects to find the PC.
    
    Return the PC value for register dwarf register 15 when returning register
    values for a compat task to perf.
    
    Cc: <[email protected]>
    Acked-by: default avatarMark Rutland <[email protected]>
    Signed-off-by: default avatarJiping Ma <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    [will: Shuffled code and added a comment]
    Signed-off-by: default avatarWill Deacon <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    e6ceb8c2
  • Masami Hiramatsu's avatar
    tracing: Fix event trigger to accept redundant spaces · e0b24b35
    Masami Hiramatsu authored
    commit 6784bead upstream.
    
    Fix the event trigger to accept redundant spaces in
    the trigger input.
    
    For example, these return -EINVAL
    
    echo " traceon" > events/ftrace/print/trigger
    echo "traceon  if common_pid == 0" > events/ftrace/print/trigger
    echo "disable_event:kmem:kmalloc " > events/ftrace/print/trigger
    
    But these are hard to find what is wrong.
    
    To fix this issue, use skip_spaces() to remove spaces
    in front of actual tokens, and set NULL if there is no
    token.
    
    Link: http://lkml.kernel.org/r/[email protected]
    
    Cc: Tom Zanussi <[email protected]>
    Cc: [email protected]
    Fixes: 85f2b082 ("tracing: Add basic event trigger framework")
    Reviewed-by: default avatarTom Zanussi <[email protected]>
    Signed-off-by: default avatarMasami Hiramatsu <[email protected]>
    Signed-off-by: default avatarSteven Rostedt (VMware) <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    e0b24b35
  • Denis Efremov's avatar
    drm/radeon: fix fb_div check in ni_init_smc_spll_table() · 1f12e319
    Denis Efremov authored
    commit 35f760b4 upstream.
    
    clk_s is checked twice in a row in ni_init_smc_spll_table().
    fb_div should be checked instead.
    
    Fixes: 69e0b57a ("drm/radeon/kms: add dpm support for cayman (v5)")
    Cc: [email protected]
    Signed-off-by: default avatarDenis Efremov <[email protected]>
    Signed-off-by: default avatarAlex Deucher <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    1f12e319
  • Dan Carpenter's avatar
    Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() · 92af7e45
    Dan Carpenter authored
    commit b65a2d8c upstream.
    
    The "ie_len" variable is in the 0-255 range and it comes from the
    network.  If it's over NDIS_802_11_LENGTH_RATES_EX (16) then that will
    lead to memory corruption.
    
    Fixes: 554c0a3a ("staging: Add rtl8723bs sdio wifi driver")
    Signed-off-by: default avatarDan Carpenter <[email protected]>
    Cc: stable <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    92af7e45
  • Vasily Averin's avatar
    sunrpc: fixed rollback in rpc_gssd_dummy_populate() · 127f57d4
    Vasily Averin authored
    commit b7ade381 upstream.
    
    __rpc_depopulate(gssd_dentry) was lost on error path
    
    cc: [email protected]
    Fixes: commit 4b9a445e ("sunrpc: create a new dummy pipe for gssd to hold open")
    Signed-off-by: default avatarVasily Averin <[email protected]>
    Reviewed-by: default avatarJeff Layton <[email protected]>
    Signed-off-by: default avatarAnna Schumaker <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    127f57d4
  • Chuck Lever's avatar
    SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() · 421e5a37
    Chuck Lever authored
    commit 89a3c9f5 upstream.
    
    @subbuf is an output parameter of xdr_buf_subsegment(). A survey of
    call sites shows that @subbuf is always uninitialized before
    xdr_buf_segment() is invoked by callers.
    
    There are some execution paths through xdr_buf_subsegment() that do
    not set all of the fields in @subbuf, leaving some pointer fields
    containing garbage addresses. Subsequent processing of that buffer
    then results in a page fault.
    Signed-off-by: default avatarChuck Lever <[email protected]>
    Cc: <[email protected]>
    Signed-off-by: default avatarAnna Schumaker <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    421e5a37
  • Trond Myklebust's avatar
    pNFS/flexfiles: Fix list corruption if the mirror count changes · 261c8c38
    Trond Myklebust authored
    commit 8b040137 upstream.
    
    If the mirror count changes in the new layout we pick up inside
    ff_layout_pg_init_write(), then we can end up adding the
    request to the wrong mirror and corrupting the mirror->pg_list.
    
    Fixes: d600ad1f ("NFS41: pop some layoutget errors to application")
    Cc: [email protected]
    Signed-off-by: default avatarTrond Myklebust <[email protected]>
    Signed-off-by: default avatarAnna Schumaker <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    261c8c38
  • Olga Kornievskaia's avatar
    NFSv4 fix CLOSE not waiting for direct IO compeletion · 6e68843f
    Olga Kornievskaia authored
    commit d03727b2 upstream.
    
    Figuring out the root case for the REMOVE/CLOSE race and
    suggesting the solution was done by Neil Brown.
    
    Currently what happens is that direct IO calls hold a reference
    on the open context which is decremented as an asynchronous task
    in the nfs_direct_complete(). Before reference is decremented,
    control is returned to the application which is free to close the
    file. When close is being processed, it decrements its reference
    on the open_context but since directIO still holds one, it doesn't
    sent a close on the wire. It returns control to the application
    which is free to do other operations. For instance, it can delete a
    file. Direct IO is finally releasing its reference and triggering
    an asynchronous close. Which races with the REMOVE. On the server,
    REMOVE can be processed before the CLOSE, failing the REMOVE with
    EACCES as the file is still opened.
    Signed-off-by: default avatarOlga Kornievskaia <[email protected]>
    Suggested-by: default avatarNeil Brown <[email protected]>
    CC: [email protected]
    Signed-off-by: default avatarAnna Schumaker <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    6e68843f
  • Zheng Bin's avatar
    xfs: add agf freeblocks verify in xfs_agf_verify · 59e2b644
    Zheng Bin authored
    [ Upstream commit d0c7feaf ]
    
    We recently used fuzz(hydra) to test XFS and automatically generate
    tmp.img(XFS v5 format, but some metadata is wrong)
    
    xfs_repair information(just one AG):
    agf_freeblks 0, counted 3224 in ag 0
    agf_longest 536874136, counted 3224 in ag 0
    sb_fdblocks 613, counted 3228
    
    Test as follows:
    mount tmp.img tmpdir
    cp file1M tmpdir
    sync
    
    In 4.19-stable, sync will stuck, the reason is:
    xfs_mountfs
      xfs_check_summary_counts
        if ((!xfs_sb_version_haslazysbcount(&mp->m_sb) ||
           XFS_LAST_UNMOUNT_WAS_CLEAN(mp)) &&
           !xfs_fs_has_sickness(mp, XFS_SICK_FS_COUNTERS))
    	return 0;  -->just return, incore sb_fdblocks still be 613
        xfs_initialize_perag_data
    
    cp file1M tmpdir -->ok(write file to pagecache)
    sync -->stuck(write pagecache to disk)
    xfs_map_blocks
      xfs_iomap_write_allocate
        while (count_fsb != 0) {
          nimaps = 0;
          while (nimaps == 0) { --> endless loop
             nimaps = 1;
             xfs_bmapi_write(..., &nimaps) --> nimaps becomes 0 again
    xfs_bmapi_write
      xfs_bmap_alloc
        xfs_bmap_btalloc
          xfs_alloc_vextent
            xfs_alloc_fix_freelist
              xfs_alloc_space_available -->fail(agf_freeblks is 0)
    
    In linux-next, sync not stuck, cause commit c2b31643 ("xfs:
    use the latest extent at writeback delalloc conversion time") remove
    the above while, dmesg is as follows:
    [   55.250114] XFS (loop0): page discard on page ffffea0008bc7380, inode 0x1b0c, offset 0.
    
    Users do not know why this page is discard, the better soultion is:
    1. Like xfs_repair, make sure sb_fdblocks is equal to counted
    (xfs_initialize_perag_data did this, who is not called at this mount)
    2. Add agf verify, if fail, will tell users to repair
    
    This patch use the second soultion.
    Signed-off-by: default avatarZheng Bin <[email protected]>
    Signed-off-by: default avatarRen Xudong <[email protected]>
    Reviewed-by: default avatarDarrick J. Wong <[email protected]>
    Signed-off-by: default avatarDarrick J. Wong <[email protected]>
    Signed-off-by: default avatarSasha Levin <[email protected]>
    59e2b644
  • Greg Kroah-Hartman's avatar
    Revert "tty: hvc: Fix data abort due to race in hvc_open" · 45c4411f
    Greg Kroah-Hartman authored
    commit cf9c9445 upstream.
    
    This reverts commit e2bd1dcb.
    
    In discussion on the mailing list, it has been determined that this is
    not the correct type of fix for this issue.  Revert it so that we can do
    this correctly.
    Reported-by: default avatarJiri Slaby <[email protected]>
    Reported-by: default avatarGreg Kroah-Hartman <[email protected]>
    Link: https://lore.kernel.org/r/[email protected]
    Cc: Raghavendra Rao Ananta <[email protected]>
    Signed-off-by: default avatarGreg Kroah-Hartman <[email protected]>
    45c4411f
......@@ -249,10 +249,10 @@
status = "disabled";
};
mailbox: mailbox@25000 {
mailbox: mailbox@25c00 {
compatible = "brcm,iproc-fa2-mbox";
reg = <0x25000 0x445>;
interrupts = <GIC_SPI 150 IRQ_TYPE_LEVEL_HIGH>;
reg = <0x25c00 0x400>;
interrupts = <GIC_SPI 151 IRQ_TYPE_LEVEL_HIGH>;
#mbox-cells = <1>;
brcm,rx-status-len = <32>;
brcm,use-bcm-hdr;
......
......@@ -301,14 +301,14 @@ static int __init imx_suspend_alloc_ocram(
if (!ocram_pool) {
pr_warn("%s: ocram pool unavailable!\n", __func__);
ret = -ENODEV;
goto put_node;
goto put_device;
}
ocram_base = gen_pool_alloc(ocram_pool, size);
if (!ocram_base) {
pr_warn("%s: unable to alloc ocram!\n", __func__);
ret = -ENOMEM;
goto put_node;
goto put_device;
}
phys = gen_pool_virt_to_phys(ocram_pool, ocram_base);
......@@ -318,6 +318,8 @@ static int __init imx_suspend_alloc_ocram(
if (virt_out)
*virt_out = virt;
put_device:
put_device(&pdev->dev);
put_node:
of_node_put(node);
......
......@@ -15,15 +15,34 @@ u64 perf_reg_value(struct pt_regs *regs, int idx)
return 0;
/*
* Compat (i.e. 32 bit) mode:
* - PC has been set in the pt_regs struct in kernel_entry,
* - Handle SP and LR here.
* Our handling of compat tasks (PERF_SAMPLE_REGS_ABI_32) is weird, but
* we're stuck with it for ABI compatability reasons.
*
* For a 32-bit consumer inspecting a 32-bit task, then it will look at
* the first 16 registers (see arch/arm/include/uapi/asm/perf_regs.h).
* These correspond directly to a prefix of the registers saved in our
* 'struct pt_regs', with the exception of the PC, so we copy that down
* (x15 corresponds to SP_hyp in the architecture).
*
* So far, so good.
*
* The oddity arises when a 64-bit consumer looks at a 32-bit task and
* asks for registers beyond PERF_REG_ARM_MAX. In this case, we return
* SP_usr, LR_usr and PC in the positions where the AArch64 SP, LR and
* PC registers would normally live. The initial idea was to allow a
* 64-bit unwinder to unwind a 32-bit task and, although it's not clear
* how well that works in practice, somebody might be relying on it.
*
* At the time we make a sample, we don't know whether the consumer is
* 32-bit or 64-bit, so we have to cater for both possibilities.
*/
if (compat_user_mode(regs)) {
if ((u32)idx == PERF_REG_ARM64_SP)
return regs->compat_sp;
if ((u32)idx == PERF_REG_ARM64_LR)
return regs->compat_lr;
if (idx == 15)
return regs->pc;
}
if ((u32)idx == PERF_REG_ARM64_SP)
......
......@@ -322,6 +322,25 @@ static inline void __poke_user_per(struct task_struct *child,
child->thread.per_user.end = data;
}
static void fixup_int_code(struct task_struct *child, addr_t data)
{
struct pt_regs *regs = task_pt_regs(child);
int ilc = regs->int_code >> 16;
u16 insn;
if (ilc > 6)
return;
if (ptrace_access_vm(child, regs->psw.addr - (regs->int_code >> 16),
&insn, sizeof(insn), FOLL_FORCE) != sizeof(insn))
return;
/* double check that tracee stopped on svc instruction */
if ((insn >> 8) != 0xa)
return;
regs->int_code = 0x20000 | (data & 0xffff);
}
/*
* Write a word to the user area of a process at location addr. This
* operation does have an additional problem compared to peek_user.
......@@ -333,7 +352,9 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
struct user *dummy = NULL;
addr_t offset;
if (addr < (addr_t) &dummy->regs.acrs) {
struct pt_regs *regs = task_pt_regs(child);
/*
* psw and gprs are stored on the stack
*/
......@@ -351,7 +372,11 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
/* Invalid addressing mode bits */
return -EINVAL;
}
*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
if (test_pt_regs_flag(regs, PIF_SYSCALL) &&
addr == offsetof(struct user, regs.gprs[2]))
fixup_int_code(child, data);
*(addr_t *)((addr_t) &regs->psw + addr) = data;
} else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) {
/*
......@@ -717,6 +742,10 @@ static int __poke_user_compat(struct task_struct *child,
regs->psw.mask = (regs->psw.mask & ~PSW_MASK_BA) |
(__u64)(tmp & PSW32_ADDR_AMODE);
} else {
if (test_pt_regs_flag(regs, PIF_SYSCALL) &&
addr == offsetof(struct compat_user, regs.gprs[2]))
fixup_int_code(child, data);
/* gpr 0-15 */
*(__u32*)((addr_t) &regs->psw + addr*2 + 4) = tmp;
}
......
......@@ -168,12 +168,17 @@ static int genregs32_set(struct task_struct *target,
if (ret || !count)
return ret;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&regs->y,
&regs->npc,
34 * sizeof(u32), 35 * sizeof(u32));
if (ret || !count)
return ret;
ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf,
&regs->y,
35 * sizeof(u32), 36 * sizeof(u32));
if (ret || !count)
return ret;
return user_regset_copyin_ignore(&pos, &count, &kbuf, &ubuf,
35 * sizeof(u32), 38 * sizeof(u32));
36 * sizeof(u32), 38 * sizeof(u32));
}
static int fpregs32_get(struct task_struct *target,
......
......@@ -1060,7 +1060,7 @@ struct kvm_x86_ops {
void (*enable_log_dirty_pt_masked)(struct kvm *kvm,
struct kvm_memory_slot *slot,
gfn_t offset, unsigned long mask);
int (*write_log_dirty)(struct kvm_vcpu *vcpu);
int (*write_log_dirty)(struct kvm_vcpu *vcpu, gpa_t l2_gpa);
/* pmu operations of sub-arch */
const struct kvm_pmu_ops *pmu_ops;
......
......@@ -1713,10 +1713,10 @@ void kvm_arch_mmu_enable_log_dirty_pt_masked(struct kvm *kvm,
* Emulate arch specific page modification logging for the
* nested hypervisor
*/
int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu)
int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu, gpa_t l2_gpa)
{
if (kvm_x86_ops->write_log_dirty)
return kvm_x86_ops->write_log_dirty(vcpu);
return kvm_x86_ops->write_log_dirty(vcpu, l2_gpa);
return 0;
}
......
......@@ -194,7 +194,7 @@ void kvm_mmu_gfn_disallow_lpage(struct kvm_memory_slot *slot, gfn_t gfn);
void kvm_mmu_gfn_allow_lpage(struct kvm_memory_slot *slot, gfn_t gfn);
bool kvm_mmu_slot_gfn_write_protect(struct kvm *kvm,
struct kvm_memory_slot *slot, u64 gfn);
int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu);
int kvm_arch_write_log_dirty(struct kvm_vcpu *vcpu, gpa_t l2_gpa);
int kvm_mmu_post_init_vm(struct kvm *kvm);
void kvm_mmu_pre_destroy_vm(struct kvm *kvm);
......
......@@ -202,7 +202,7 @@ static inline unsigned FNAME(gpte_access)(struct kvm_vcpu *vcpu, u64 gpte)
static int FNAME(update_accessed_dirty_bits)(struct kvm_vcpu *vcpu,
struct kvm_mmu *mmu,
struct guest_walker *walker,
int write_fault)
gpa_t addr, int write_fault)
{
unsigned level, index;
pt_element_t pte, orig_pte;
......@@ -227,7 +227,7 @@ static int FNAME(update_accessed_dirty_bits)(struct kvm_vcpu *vcpu,
!(pte & PT_GUEST_DIRTY_MASK)) {
trace_kvm_mmu_set_dirty_bit(table_gfn, index, sizeof(pte));
#if PTTYPE == PTTYPE_EPT
if (kvm_arch_write_log_dirty(vcpu))
if (kvm_arch_write_log_dirty(vcpu, addr))
return -EINVAL;
#endif
pte |= PT_GUEST_DIRTY_MASK;
......@@ -424,7 +424,8 @@ static int FNAME(walk_addr_generic)(struct guest_walker *walker,
(PT_GUEST_DIRTY_SHIFT - PT_GUEST_ACCESSED_SHIFT);
if (unlikely(!accessed_dirty)) {
ret = FNAME(update_accessed_dirty_bits)(vcpu, mmu, walker, write_fault);
ret = FNAME(update_accessed_dirty_bits)(vcpu, mmu, walker,
addr, write_fault);
if (unlikely(ret < 0))
goto error;
else if (ret)
......
......@@ -12462,11 +12462,10 @@ static void vmx_flush_log_dirty(struct kvm *kvm)
kvm_flush_pml_buffers(kvm);
}
static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu, gpa_t gpa)
{
struct vmcs12 *vmcs12;
struct vcpu_vmx *vmx = to_vmx(vcpu);
gpa_t gpa;
struct page *page = NULL;
u64 *pml_address;
......@@ -12487,7 +12486,7 @@ static int vmx_write_pml_buffer(struct kvm_vcpu *vcpu)
return 1;
}
gpa = vmcs_read64(GUEST_PHYSICAL_ADDRESS) & ~0xFFFull;
gpa &= ~0xFFFull;
page = kvm_vcpu_gpa_to_page(vcpu, vmcs12->pml_address);
if (is_error_page(page))
......
......@@ -2344,7 +2344,7 @@ int kvm_set_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
return kvm_mtrr_set_msr(vcpu, msr, data);
case MSR_IA32_APICBASE:
return kvm_set_apic_base(vcpu, msr_info);
case APIC_BASE_MSR ... APIC_BASE_MSR + 0x3ff:
case APIC_BASE_MSR ... APIC_BASE_MSR + 0xff:
return kvm_x2apic_msr_write(vcpu, msr, data);
case MSR_IA32_TSCDEADLINE:
kvm_set_lapic_tscdeadline_msr(vcpu, data);
......@@ -2629,7 +2629,7 @@ int kvm_get_msr_common(struct kvm_vcpu *vcpu, struct msr_data *msr_info)
case MSR_IA32_APICBASE:
msr_info->data = kvm_get_apic_base(vcpu);
break;
case APIC_BASE_MSR ... APIC_BASE_MSR + 0x3ff:
case APIC_BASE_MSR ... APIC_BASE_MSR + 0xff:
return kvm_x2apic_msr_read(vcpu, msr_info->index, &msr_info->data);
break;
case MSR_IA32_TSCDEADLINE:
......
......@@ -315,7 +315,6 @@ bool bio_integrity_prep(struct bio *bio)
if (ret == 0) {
printk(KERN_ERR "could not attach integrity payload\n");
kfree(buf);
status = BLK_STS_RESOURCE;
goto err_end_io;
}
......
......@@ -942,13 +942,13 @@ static void __exit interrupt_stats_exit(void)
}
static ssize_t
acpi_show_profile(struct device *dev, struct device_attribute *attr,
acpi_show_profile(struct kobject *kobj, struct kobj_attribute *attr,
char *buf)
{
return sprintf(buf, "%d\n", acpi_gbl_FADT.preferred_profile);
}
static const struct device_attribute pm_profile_attr =
static const struct kobj_attribute pm_profile_attr =
__ATTR(pm_profile, S_IRUGO, acpi_show_profile, NULL);
static ssize_t hotplug_enabled_show(struct kobject *kobj,
......
......@@ -3996,12 +3996,13 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc)
{
struct scsi_cmnd *scmd = qc->scsicmd;
const u8 *cdb = scmd->cmnd;
const u8 *p;
u8 pg, spg;
unsigned six_byte, pg_len, hdr_len, bd_len;
int len;
u16 fp = (u16)-1;
u8 bp = 0xff;
u8 buffer[64];
const u8 *p = buffer;
VPRINTK("ENTER\n");
......@@ -4035,12 +4036,14 @@ static unsigned int ata_scsi_mode_select_xlat(struct ata_queued_cmd *qc)
if (!scsi_sg_count(scmd) || scsi_sglist(scmd)->length < len)
goto invalid_param_len;
p = page_address(sg_page(scsi_sglist(scmd)));
/* Move past header and block descriptors. */
if (len < hdr_len)
goto invalid_param_len;
if (!sg_copy_to_buffer(scsi_sglist(scmd), scsi_sg_count(scmd),
buffer, sizeof(buffer)))
goto invalid_param_len;
if (six_byte)
bd_len = p[3];
else
......
......@@ -1110,7 +1110,7 @@ loop_set_status(struct loop_device *lo, const struct loop_info64 *info)
if (lo->lo_offset != info->lo_offset ||
lo->lo_sizelimit != info->lo_sizelimit) {
sync_blockdev(lo->lo_device);
kill_bdev(lo->lo_device);
invalidate_bdev(lo->lo_device);
}
/* I/O need to be drained during transfer transition */
......@@ -1380,12 +1380,12 @@ static int loop_set_block_size(struct loop_device *lo, unsigned long arg)
if (lo->lo_queue->limits.logical_block_size != arg) {
sync_blockdev(lo->lo_device);
kill_bdev(lo->lo_device);
invalidate_bdev(lo->lo_device);
}
blk_mq_freeze_queue(lo->lo_queue);
/* kill_bdev should have truncated all the pages */
/* invalidate_bdev should have truncated all the pages */
if (lo->lo_queue->limits.logical_block_size != arg &&
lo->lo_device->bd_inode->i_mapping->nrpages) {
err = -EAGAIN;
......
......@@ -180,7 +180,7 @@ static int esre_create_sysfs_entry(void *esre, int entry_num)
rc = kobject_init_and_add(&entry->kobj, &esre1_ktype, NULL,
"entry%d", entry_num);
if (rc) {
kfree(entry);
kobject_put(&entry->kobj);
return rc;
}
}
......
......@@ -2126,7 +2126,7 @@ static int ni_init_smc_spll_table(struct radeon_device *rdev)
if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT))
ret = -EINVAL;
if (clk_s & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKS_SHIFT))
if (fb_div & ~(SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_FBDIV_SHIFT))
ret = -EINVAL;
if (clk_v & ~(SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_MASK >> SMC_NISLANDS_SPLL_DIV_TABLE_CLKV_SHIFT))
......
......@@ -1482,6 +1482,8 @@ static struct rdma_id_private *cma_find_listener(
{
struct rdma_id_private *id_priv, *id_priv_dev;
lockdep_assert_held(&lock);
if (!bind_list)
return ERR_PTR(-EINVAL);
......@@ -1530,6 +1532,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id,
}
}
mutex_lock(&lock);
/*
* Net namespace might be getting deleted while route lookup,
* cm_id lookup is in progress. Therefore, perform netdevice
......@@ -1571,6 +1574,7 @@ static struct rdma_id_private *cma_id_from_event(struct ib_cm_id *cm_id,
id_priv = cma_find_listener(bind_list, cm_id, ib_event, &req, *net_dev);
err:
rcu_read_unlock();
mutex_unlock(&lock);
if (IS_ERR(id_priv) && *net_dev) {
dev_put(*net_dev);
*net_dev = NULL;
......@@ -2287,6 +2291,8 @@ static void cma_listen_on_dev(struct rdma_id_private *id_priv,
struct net *net = id_priv->id.route.addr.dev_addr.net;
int ret;
lockdep_assert_held(&lock);
if (cma_family(id_priv) == AF_IB && !rdma_cap_ib_cm(cma_dev->device, 1))
return;
......@@ -2993,6 +2999,8 @@ static void cma_bind_port(struct rdma_bind_list *bind_list,
u64 sid, mask;
__be16 port;
lockdep_assert_held(&lock);
addr = cma_src_addr(id_priv);
port = htons(bind_list->port);
......@@ -3021,6 +3029,8 @@ static int cma_alloc_port(enum rdma_port_space ps,
struct rdma_bind_list *bind_list;
int ret;
lockdep_assert_held(&lock);
bind_list = kzalloc(sizeof *bind_list, GFP_KERNEL);
if (!bind_list)
return -ENOMEM;
......@@ -3047,6 +3057,8 @@ static int cma_port_is_unique(struct rdma_bind_list *bind_list,
struct sockaddr *saddr = cma_src_addr(id_priv);
__be16 dport = cma_port(daddr);
lockdep_assert_held(&lock);
hlist_for_each_entry(cur_id, &bind_list->owners, node) {
struct sockaddr *cur_daddr = cma_dst_addr(cur_id);
struct sockaddr *cur_saddr = cma_src_addr(cur_id);
......@@ -3086,6 +3098,8 @@ static int cma_alloc_any_port(enum rdma_port_space ps,
unsigned int rover;
struct net *net = id_priv->id.route.addr.dev_addr.net;
lockdep_assert_held(&lock);
inet_get_local_port_range(net, &low, &high);
remaining = (high - low) + 1;
rover = prandom_u32() % remaining + low;
......@@ -3133,6 +3147,8 @@ static int cma_check_port(struct rdma_bind_list *bind_list,
struct rdma_id_private *cur_id;
struct sockaddr *addr, *cur_addr;
lockdep_assert_held(&lock);
addr = cma_src_addr(id_priv);
hlist_for_each_entry(cur_id, &bind_list->owners, node) {
if (id_priv == cur_id)
......@@ -3163,6 +3179,8 @@ static int cma_use_port(enum rdma_port_space ps,
unsigned short snum;
int ret;
lockdep_assert_held(&lock);
snum = ntohs(cma_port(cma_src_addr(id_priv)));
if (snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
return -EACCES;
......
......@@ -2907,6 +2907,7 @@ static int ib_mad_post_receive_mads(struct ib_mad_qp_info *qp_info,
DMA_FROM_DEVICE);
if (unlikely(ib_dma_mapping_error(qp_info->port_priv->device,
sg_list.addr))) {
kfree(mad_priv);
ret = -ENOMEM;
break;
}
......
......@@ -1250,8 +1250,12 @@ static int __alx_open(struct alx_priv *alx, bool resume)
static void __alx_stop(struct alx_priv *alx)
{
alx_halt(alx);
alx_free_irq(alx);
cancel_work_sync(&alx->link_check_wk);
cancel_work_sync(&alx->reset_wk);
alx_halt(alx);
alx_free_rings(alx);
alx_free_napis(alx);
}
......@@ -1863,9 +1867,6 @@ static void alx_remove(struct pci_dev *pdev)
struct alx_priv *alx = pci_get_drvdata(pdev);
struct alx_hw *hw = &alx->hw;
cancel_work_sync(&alx->link_check_wk);
cancel_work_sync(&alx->reset_wk);
/* restore permanent mac address */
alx_set_macaddr(hw, hw->perm_addr);
......
......@@ -1567,11 +1567,6 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
goto out;
}
if (skb_padto(skb, ETH_ZLEN)) {
ret = NETDEV_TX_OK;
goto out;
}
/* Retain how many bytes will be sent on the wire, without TSB inserted
* by transmit checksum offload
*/
......@@ -1621,6 +1616,9 @@ static netdev_tx_t bcmgenet_xmit(struct sk_buff *skb, struct net_device *dev)
len_stat = (size << DMA_BUFLENGTH_SHIFT) |
(priv->hw_params->qtag_mask << DMA_TX_QTAG_SHIFT);
/* Note: if we ever change from DMA_TX_APPEND_CRC below we
* will need to restore software padding of "runt" packets
*/
if (!i) {
len_stat |= DMA_TX_APPEND_CRC | DMA_SOP;
if (skb->ip_summed == CHECKSUM_PARTIAL)
......
......@@ -18179,8 +18179,8 @@ static pci_ers_result_t tg3_io_error_detected(struct pci_dev *pdev,
rtnl_lock();
/* We probably don't have netdev yet */
if (!netdev || !netif_running(netdev))
/* Could be second call or maybe we don't have netdev yet */
if (!netdev || tp->pcierr_recovery || !netif_running(netdev))
goto done;
/* We needn't recover from permanent error */
......
......@@ -1695,7 +1695,7 @@ static int ibmveth_probe(struct vio_dev *dev, const struct vio_device_id *id)
}
netdev->min_mtu = IBMVETH_MIN_MTU;
netdev->max_mtu = ETH_MAX_MTU;
netdev->max_mtu = ETH_MAX_MTU - IBMVETH_BUFF_OH;
memcpy(netdev->dev_addr, mac_addr_p, ETH_ALEN);
......
......@@ -396,7 +396,7 @@ static void qed_cxt_qm_iids(struct qed_hwfn *p_hwfn,
vf_tids += segs[NUM_TASK_PF_SEGMENTS].count;
}
iids->vf_cids += vf_cids * p_mngr->vf_count;
iids->vf_cids = vf_cids;
iids->tids += vf_tids * p_mngr->vf_count;
DP_VERBOSE(p_hwfn, QED_MSG_ILT,
......
......@@ -81,12 +81,17 @@ static void qed_vf_pf_req_end(struct qed_hwfn *p_hwfn, int req_status)
mutex_unlock(&(p_hwfn->vf_iov_info->mutex));
}
#define QED_VF_CHANNEL_USLEEP_ITERATIONS 90
#define QED_VF_CHANNEL_USLEEP_DELAY 100
#define QED_VF_CHANNEL_MSLEEP_ITERATIONS 10
#define QED_VF_CHANNEL_MSLEEP_DELAY 25
static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size)
{
union vfpf_tlvs *p_req = p_hwfn->vf_iov_info->vf2pf_request;
struct ustorm_trigger_vf_zone trigger;
struct ustorm_vf_zone *zone_data;
int rc = 0, time = 100;
int iter, rc = 0;
zone_data = (struct ustorm_vf_zone *)PXP_VF_BAR0_START_USDM_ZONE_B;
......@@ -126,11 +131,19 @@ static int qed_send_msg2pf(struct qed_hwfn *p_hwfn, u8 *done, u32 resp_size)
REG_WR(p_hwfn, (uintptr_t)&zone_data->trigger, *((u32 *)&trigger));
/* When PF would be done with the response, it would write back to the
* `done' address. Poll until then.
* `done' address from a coherent DMA zone. Poll until then.
*/
while ((!*done) && time) {
msleep(25);
time--;
iter = QED_VF_CHANNEL_USLEEP_ITERATIONS;
while (!*done && iter--) {
udelay(QED_VF_CHANNEL_USLEEP_DELAY);
dma_rmb();
}
iter = QED_VF_CHANNEL_MSLEEP_ITERATIONS;
while (!*done && iter--) {
msleep(QED_VF_CHANNEL_MSLEEP_DELAY);
dma_rmb();
}
if (!*done) {
......
......@@ -651,10 +651,10 @@ static int rocker_dma_rings_init(struct rocker *rocker)
err_dma_event_ring_bufs_alloc:
rocker_dma_ring_destroy(rocker, &rocker->event_ring);
err_dma_event_ring_create:
rocker_dma_cmd_ring_waits_free(rocker);
err_dma_cmd_ring_waits_alloc:
rocker_dma_ring_bufs_free(rocker, &rocker->cmd_ring,
PCI_DMA_BIDIRECTIONAL);
err_dma_cmd_ring_waits_alloc:
rocker_dma_cmd_ring_waits_free(rocker);