Ronnie Sahlberg [Tue, 9 Apr 2019 21:47:22 +0000 (07:47 +1000)]
cifs: fix handle leak in smb2_query_symlink()
commit
e6d0fb7b34f264f72c33053558a360a6a734905e upstream.
If we enter smb2_query_symlink() for something that is not a symlink
and where the SMB2_open() would succeed we would never end up
closing this handle and would thus leak a handle on the server.
Fix this by immediately calling SMB2_close() on successfull open.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ZhangXiaoxu [Sat, 6 Apr 2019 07:47:39 +0000 (15:47 +0800)]
cifs: Fix use-after-free in SMB2_read
commit
088aaf17aa79300cab14dbee2569c58cfafd7d6e upstream.
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_read+0x1136/0x1190
Read of size 8 at addr
ffff8880b4e45e50 by task ln/1009
Should not release the 'req' because it will use in the trace.
Fixes:
eccb4422cf97 ("smb3: Add ftrace tracepoints for improved SMB3 debugging")
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org> 4.18+
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ZhangXiaoxu [Sat, 6 Apr 2019 07:47:38 +0000 (15:47 +0800)]
cifs: Fix use-after-free in SMB2_write
commit
6a3eb3360667170988f8a6477f6686242061488a upstream.
There is a KASAN use-after-free:
BUG: KASAN: use-after-free in SMB2_write+0x1342/0x1580
Read of size 8 at addr
ffff8880b6a8e450 by task ln/4196
Should not release the 'req' because it will use in the trace.
Fixes:
eccb4422cf97 ("smb3: Add ftrace tracepoints for improved SMB3 debugging")
Signed-off-by: ZhangXiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Stable <stable@vger.kernel.org> 4.18+
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Aurelien Aptel [Fri, 29 Mar 2019 09:49:12 +0000 (10:49 +0100)]
CIFS: keep FileInfo handle live during oplock break
commit
b98749cac4a695f084a5ff076f4510b23e353ecd upstream.
In the oplock break handler, writing pending changes from pages puts
the FileInfo handle. If the refcount reaches zero it closes the handle
and waits for any oplock break handler to return, thus causing a deadlock.
To prevent this situation:
* We add a wait flag to cifsFileInfo_put() to decide whether we should
wait for running/pending oplock break handlers
* We keep an additionnal reference of the SMB FileInfo handle so that
for the rest of the handler putting the handle won't close it.
- The ref is bumped everytime we queue the handler via the
cifs_queue_oplock_break() helper.
- The ref is decremented at the end of the handler
This bug was triggered by xfstest 464.
Also important fix to address the various reports of
oops in smb2_push_mandatory_locks
Signed-off-by: Aurelien Aptel <aaptel@suse.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
CC: Stable <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Peter Oskolkov [Tue, 23 Apr 2019 17:25:33 +0000 (10:25 -0700)]
net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c
[ Upstream commit
997dd96471641e147cb2c33ad54284000d0f5e35 ]
Currently, IPv6 defragmentation code drops non-last fragments that
are smaller than 1280 bytes: see
commit
0ed4229b08c1 ("ipv6: defrag: drop non-last frags smaller than min mtu")
This behavior is not specified in IPv6 RFCs and appears to break
compatibility with some IPv6 implemenations, as reported here:
https://www.spinics.net/lists/netdev/msg543846.html
This patch re-uses common IP defragmentation queueing and reassembly
code in IP6 defragmentation in nf_conntrack, removing the 1280 byte
restriction.
Signed-off-by: Peter Oskolkov <posk@google.com>
Reported-by: Tom Herbert <tom@herbertland.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Peter Oskolkov [Tue, 23 Apr 2019 17:25:32 +0000 (10:25 -0700)]
net: IP6 defrag: use rbtrees for IPv6 defrag
[ Upstream commit
d4289fcc9b16b89619ee1c54f829e05e56de8b9a ]
Currently, IPv6 defragmentation code drops non-last fragments that
are smaller than 1280 bytes: see
commit
0ed4229b08c1 ("ipv6: defrag: drop non-last frags smaller than min mtu")
This behavior is not specified in IPv6 RFCs and appears to break
compatibility with some IPv6 implemenations, as reported here:
https://www.spinics.net/lists/netdev/msg543846.html
This patch re-uses common IP defragmentation queueing and reassembly
code in IPv6, removing the 1280 byte restriction.
v2: change handling of overlaps to match that of upstream.
Signed-off-by: Peter Oskolkov <posk@google.com>
Reported-by: Tom Herbert <tom@herbertland.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Peter Oskolkov [Tue, 23 Apr 2019 17:25:31 +0000 (10:25 -0700)]
net: IP defrag: encapsulate rbtree defrag code into callable functions
[ Upstream commit
c23f35d19db3b36ffb9e04b08f1d91565d15f84f ]
This is a refactoring patch: without changing runtime behavior,
it moves rbtree-related code from IPv4-specific files/functions
into .h/.c defrag files shared with IPv6 defragmentation code.
v2: make handling of overlapping packets match upstream.
Signed-off-by: Peter Oskolkov <posk@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Florian Westphal <fw@strlen.de>
Cc: Tom Herbert <tom@herbertland.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Toke Høiland-Jørgensen [Fri, 5 Apr 2019 13:01:59 +0000 (15:01 +0200)]
sch_cake: Simplify logic in cake_select_tin()
[ Upstream commit
4976e3c683f328bc6f2edef555a4ffee6524486f ]
The logic in cake_select_tin() was getting a bit hairy, and it turns out we
can simplify it quite a bit. This also allows us to get rid of one of the
two diffserv parsing functions, which has the added benefit that
already-zeroed DSCP fields won't get re-written.
Suggested-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pieter Jansen van Vuuren [Tue, 2 Apr 2019 02:36:34 +0000 (19:36 -0700)]
nfp: flower: remove vlan CFI bit from push vlan action
[ Upstream commit
42cd5484a22f1a1b947e21e2af65fa7dab09d017 ]
We no longer set CFI when pushing vlan tags, therefore we remove
the CFI bit from push vlan.
Fixes:
1a1e586f54bf ("nfp: add basic action capabilities to flower offloads")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Pieter Jansen van Vuuren [Tue, 2 Apr 2019 02:36:33 +0000 (19:36 -0700)]
nfp: flower: replace CFI with vlan present
[ Upstream commit
f7ee799a51ddbcc205ef615fe424fb5084e9e0aa ]
Replace vlan CFI bit with a vlan present bit that indicates the
presence of a vlan tag. Previously the driver incorrectly assumed
that an vlan id of 0 is not matchable, therefore we indicate vlan
presence with a vlan present bit.
Fixes:
5571e8c9f241 ("nfp: extend flower matching capabilities")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Toke Høiland-Jørgensen [Thu, 4 Apr 2019 13:01:33 +0000 (15:01 +0200)]
sch_cake: Make sure we can write the IP header before changing DSCP bits
[ Upstream commit
c87b4ecdbe8db27867a7b7f840291cd843406bd7 ]
There is not actually any guarantee that the IP headers are valid before we
access the DSCP bits of the packets. Fix this using the same approach taken
in sch_dsmark.
Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Toke Høiland-Jørgensen [Thu, 4 Apr 2019 13:01:33 +0000 (15:01 +0200)]
sch_cake: Use tc_skb_protocol() helper for getting packet protocol
[ Upstream commit
b2100cc56fca8c51d28aa42a9f1fbcb2cf351996 ]
We shouldn't be using skb->protocol directly as that will miss cases with
hardware-accelerated VLAN tags. Use the helper instead to get the right
protocol number.
Reported-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jonathan Lemon [Sun, 14 Apr 2019 21:21:29 +0000 (14:21 -0700)]
route: Avoid crash from dereferencing NULL rt->from
[ Upstream commit
9c69a13205151c0d801de9f9d83a818e6e8f60ec ]
When __ip6_rt_update_pmtu() is called, rt->from is RCU dereferenced, but is
never checked for null - rt6_flush_exceptions() may have removed the entry.
[ 1913.989004] RIP: 0010:ip6_rt_cache_alloc+0x13/0x170
[ 1914.209410] Call Trace:
[ 1914.214798] <IRQ>
[ 1914.219226] __ip6_rt_update_pmtu+0xb0/0x190
[ 1914.228649] ip6_tnl_xmit+0x2c2/0x970 [ip6_tunnel]
[ 1914.239223] ? ip6_tnl_parse_tlv_enc_lim+0x32/0x1a0 [ip6_tunnel]
[ 1914.252489] ? __gre6_xmit+0x148/0x530 [ip6_gre]
[ 1914.262678] ip6gre_tunnel_xmit+0x17e/0x3c7 [ip6_gre]
[ 1914.273831] dev_hard_start_xmit+0x8d/0x1f0
[ 1914.283061] sch_direct_xmit+0xfa/0x230
[ 1914.291521] __qdisc_run+0x154/0x4b0
[ 1914.299407] net_tx_action+0x10e/0x1f0
[ 1914.307678] __do_softirq+0xca/0x297
[ 1914.315567] irq_exit+0x96/0xa0
[ 1914.322494] smp_apic_timer_interrupt+0x68/0x130
[ 1914.332683] apic_timer_interrupt+0xf/0x20
[ 1914.341721] </IRQ>
Fixes:
a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
Signed-off-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Reviewed-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Saeed Mahameed [Tue, 19 Mar 2019 08:05:41 +0000 (01:05 -0700)]
net/mlx5: FPGA, tls, idr remove on flow delete
[ Upstream commit
df3a8344d404a810b4aadbf19b08c8232fbaa715 ]
Flow is kfreed on mlx5_fpga_tls_del_flow but kept in the idr data
structure, this is risky and can cause use-after-free, since the
idr_remove is delayed until tls_send_teardown_cmd completion.
Instead of delaying idr_remove, in this patch we do it on
mlx5_fpga_tls_del_flow, before actually kfree(flow).
Added synchronize_rcu before kfree(flow)
Fixes:
ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jakub Kicinski [Tue, 9 Apr 2019 00:59:50 +0000 (17:59 -0700)]
net/tls: prevent bad memory access in tls_is_sk_tx_device_offloaded()
[ Upstream commit
b4f47f3848eb70986f75d06112af7b48b7f5f462 ]
Unlike '&&' operator, the '&' does not have short-circuit
evaluation semantics. IOW both sides of the operator always
get evaluated. Fix the wrong operator in
tls_is_sk_tx_device_offloaded(), which would lead to
out-of-bounds access for for non-full sockets.
Fixes:
4799ac81e52a ("tls: Add rx inline crypto offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Dirk van der Merwe <dirk.vandermerwe@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Saeed Mahameed [Wed, 20 Mar 2019 05:09:05 +0000 (22:09 -0700)]
net/mlx5: FPGA, tls, hold rcu read lock a bit longer
[ Upstream commit
31634bf5dcc418b5b2cacd954394c0c4620db6a2 ]
To avoid use-after-free, hold the rcu read lock until we are done copying
flow data into the command buffer.
Fixes:
ab412e1dd7db ("net/mlx5: Accel, add TLS rx offload routines")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matteo Croce [Thu, 11 Apr 2019 10:26:33 +0000 (12:26 +0200)]
net: thunderx: don't allow jumbo frames with XDP
[ Upstream commit
1f227d16083b2e280b7dde4ca78883d75593f2fd ]
The thunderx driver forbids to load an eBPF program if the MTU is too high,
but this can be circumvented by loading the eBPF, then raising the MTU.
Fix this by limiting the MTU if an eBPF program is already loaded.
Fixes:
05c773f52b96e ("net: thunderx: Add basic XDP support")
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Matteo Croce [Thu, 11 Apr 2019 10:26:32 +0000 (12:26 +0200)]
net: thunderx: raise XDP MTU to 1508
[ Upstream commit
5ee15c101f29e0093ffb5448773ccbc786eb313b ]
The thunderx driver splits frames bigger than 1530 bytes to multiple
pages, making impossible to run an eBPF program on it.
This leads to a maximum MTU of 1508 if QinQ is in use.
The thunderx driver forbids to load an eBPF program if the MTU is higher
than 1500 bytes. Raise the limit to 1508 so it is possible to use L2
protocols which need some more headroom.
Fixes:
05c773f52b96e ("net: thunderx: Add basic XDP support")
Signed-off-by: Matteo Croce <mcroce@redhat.com>
Acked-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Sun, 14 Apr 2019 00:32:21 +0000 (17:32 -0700)]
ipv4: ensure rcu_read_lock() in ipv4_link_failure()
[ Upstream commit
c543cb4a5f07e09237ec0fc2c60c9f131b2c79ad ]
fib_compute_spec_dst() needs to be called under rcu protection.
syzbot reported :
WARNING: suspicious RCU usage
5.1.0-rc4+ #165 Not tainted
include/linux/inetdevice.h:220 suspicious rcu_dereference_check() usage!
other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by swapper/0/0:
#0:
0000000051b67925 ((&n->timer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:170 [inline]
#0:
0000000051b67925 ((&n->timer)){+.-.}, at: call_timer_fn+0xda/0x720 kernel/time/timer.c:1315
stack backtrace:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.1.0-rc4+ #165
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5162
__in_dev_get_rcu include/linux/inetdevice.h:220 [inline]
fib_compute_spec_dst+0xbbd/0x1030 net/ipv4/fib_frontend.c:294
spec_dst_fill net/ipv4/ip_options.c:245 [inline]
__ip_options_compile+0x15a7/0x1a10 net/ipv4/ip_options.c:343
ipv4_link_failure+0x172/0x400 net/ipv4/route.c:1195
dst_link_failure include/net/dst.h:427 [inline]
arp_error_report+0xd1/0x1c0 net/ipv4/arp.c:297
neigh_invalidate+0x24b/0x570 net/core/neighbour.c:995
neigh_timer_handler+0xc35/0xf30 net/core/neighbour.c:1081
call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
expire_timers kernel/time/timer.c:1362 [inline]
__run_timers kernel/time/timer.c:1681 [inline]
__run_timers kernel/time/timer.c:1649 [inline]
run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
__do_softirq+0x266/0x95a kernel/softirq.c:293
invoke_softirq kernel/softirq.c:374 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:414
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1062
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
Fixes:
ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stephen Suryaputra [Fri, 12 Apr 2019 20:19:27 +0000 (16:19 -0400)]
ipv4: recompile ip options in ipv4_link_failure
[ Upstream commit
ed0de45a1008991fdaa27a0152befcb74d126a8b ]
Recompile IP options since IPCB may not be valid anymore when
ipv4_link_failure is called from arp_error_report.
Refer to the commit
3da1ed7ac398 ("net: avoid use IPCB in cipso_v4_error")
and the commit before that (
9ef6b42ad6fd) for a similar issue.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jason Wang [Tue, 9 Apr 2019 04:10:25 +0000 (12:10 +0800)]
vhost: reject zero size iova range
[ Upstream commit
813dbeb656d6c90266f251d8bd2b02d445afa63f ]
We used to accept zero size iova range which will lead a infinite loop
in translate_desc(). Fixing this by failing the request in this case.
Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com
Fixes:
6b1e6cc7 ("vhost: new device IOTLB API")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hoang Le [Tue, 9 Apr 2019 07:59:24 +0000 (14:59 +0700)]
tipc: missing entries in name table of publications
[ Upstream commit
d1841533e54876f152a30ac398a34f47ad6590b1 ]
When binding multiple services with specific type 1Ki, 2Ki..,
this leads to some entries in the name table of publications
missing when listed out via 'tipc name show'.
The problem is at identify zero last_type conditional provided
via netlink. The first is initial 'type' when starting name table
dummping. The second is continuously with zero type (node state
service type). Then, lookup function failure to finding node state
service type in next iteration.
To solve this, adding more conditional to marked as dirty type and
lookup correct service type for the next iteration instead of select
the first service as initial 'type' zero.
Acked-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: Hoang Le <hoang.h.le@dektech.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Hangbin Liu [Mon, 8 Apr 2019 08:45:17 +0000 (16:45 +0800)]
team: set slave to promisc if team is already in promisc mode
[ Upstream commit
43c2adb9df7ddd6560fd3546d925b42cef92daa0 ]
After adding a team interface to bridge, the team interface will enter
promisc mode. Then if we add a new slave to team0, the slave will keep
promisc off. Fix it by setting slave to promisc on if team master is
already in promisc mode, also do the same for allmulti.
v2: add promisc and allmulti checking when delete ports
Fixes:
3d249d4ca7d0 ("net: introduce ethernet teaming device")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Eric Dumazet [Tue, 16 Apr 2019 17:55:20 +0000 (10:55 -0700)]
tcp: tcp_grow_window() needs to respect tcp_space()
[ Upstream commit
50ce163a72d817a99e8974222dcf2886d5deb1ae ]
For some reason, tcp_grow_window() correctly tests if enough room
is present before attempting to increase tp->rcv_ssthresh,
but does not prevent it to grow past tcp_space()
This is causing hard to debug issues, like failing
the (__tcp_select_window(sk) >= tp->rcv_wnd) test
in __tcp_ack_snd_check(), causing ACK delays and possibly
slow flows.
Depending on tcp_rmem[2], MTU, skb->len/skb->truesize ratio,
we can see the problem happening on "netperf -t TCP_RR -- -r 2000,2000"
after about 60 round trips, when the active side no longer sends
immediate acks.
This bug predates git history.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Wei Wang <weiwan@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Lorenzo Bianconi [Tue, 9 Apr 2019 09:47:20 +0000 (11:47 +0200)]
net: fou: do not use guehdr after iptunnel_pull_offloads in gue_udp_recv
[ Upstream commit
988dc4a9a3b66be75b30405a5494faf0dc7cffb6 ]
gue tunnels run iptunnel_pull_offloads on received skbs. This can
determine a possible use-after-free accessing guehdr pointer since
the packet will be 'uncloned' running pskb_expand_head if it is a
cloned gso skb (e.g if the packet has been sent though a veth device)
Fixes:
a09a4c8dd1ec ("tunnels: Remove encapsulation offloads on decap")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Yuya Kusakabe [Tue, 16 Apr 2019 01:22:28 +0000 (10:22 +0900)]
net: Fix missing meta data in skb with vlan packet
[ Upstream commit
d85e8be2a5a02869f815dd0ac2d743deb4cd7957 ]
skb_reorder_vlan_header() should move XDP meta data with ethernet header
if XDP meta data exists.
Fixes:
de8f3a83b0a0 ("bpf: add meta pointer for direct access")
Signed-off-by: Yuya Kusakabe <yuya.kusakabe@gmail.com>
Signed-off-by: Takeru Hayasaka <taketarou2@gmail.com>
Co-developed-by: Takeru Hayasaka <taketarou2@gmail.com>
Reviewed-by: Toshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nikolay Aleksandrov [Thu, 11 Apr 2019 12:08:25 +0000 (15:08 +0300)]
net: bridge: multicast: use rcu to access port list from br_multicast_start_querier
[ Upstream commit
c5b493ce192bd7a4e7bd073b5685aad121eeef82 ]
br_multicast_start_querier() walks over the port list but it can be
called from a timer with only multicast_lock held which doesn't protect
the port list, so use RCU to walk over it.
Fixes:
c83b8fab06fc ("bridge: Restart queries when last querier expires")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Nikolay Aleksandrov [Thu, 11 Apr 2019 10:56:39 +0000 (13:56 +0300)]
net: bridge: fix per-port af_packet sockets
[ Upstream commit
3b2e2904deb314cc77a2192f506f2fd44e3d10d0 ]
When the commit below was introduced it changed two visible things:
- the skb was no longer passed through the protocol handlers with the
original device
- the skb was passed up the stack with skb->dev = bridge
The first change broke af_packet sockets on bridge ports. For example we
use them for hostapd which listens for ETH_P_PAE packets on the ports.
We discussed two possible fixes:
- create a clone and pass it through NF_HOOK(), act on the original skb
based on the result
- somehow signal to the caller from the okfn() that it was called,
meaning the skb is ok to be passed, which this patch is trying to
implement via returning 1 from the bridge link-local okfn()
Note that we rely on the fact that NF_QUEUE/STOLEN would return 0 and
drop/error would return < 0 thus the okfn() is called only when the
return was 1, so we signal to the caller that it was called by preserving
the return value from nf_hook().
Fixes:
8626c56c8279 ("bridge: fix potential use-after-free when hook returns QUEUE or STOLEN verdict")
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Gustavo A. R. Silva [Mon, 15 Apr 2019 20:57:23 +0000 (15:57 -0500)]
net: atm: Fix potential Spectre v1 vulnerabilities
[ Upstream commit
899537b73557aafbdd11050b501cf54b4f5c45af ]
arg is controlled by user-space, hence leading to a potential
exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
net/atm/lec.c:715 lec_mcast_attach() warn: potential spectre issue 'dev_lec' [r] (local cap)
Fix this by sanitizing arg before using it to index dev_lec.
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://lore.kernel.org/lkml/
20180423164740.GY17484@dhcp22.suse.cz/
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Si-Wei Liu [Mon, 8 Apr 2019 23:45:27 +0000 (19:45 -0400)]
failover: allow name change on IFF_UP slave interfaces
[ Upstream commit
8065a779f17e94536a1c4dcee4f9d88011672f97 ]
When a netdev appears through hot plug then gets enslaved by a failover
master that is already up and running, the slave will be opened
right away after getting enslaved. Today there's a race that userspace
(udev) may fail to rename the slave if the kernel (net_failover)
opens the slave earlier than when the userspace rename happens.
Unlike bond or team, the primary slave of failover can't be renamed by
userspace ahead of time, since the kernel initiated auto-enslavement is
unable to, or rather, is never meant to be synchronized with the rename
request from userspace.
As the failover slave interfaces are not designed to be operated
directly by userspace apps: IP configuration, filter rules with
regard to network traffic passing and etc., should all be done on master
interface. In general, userspace apps only care about the
name of master interface, while slave names are less important as long
as admin users can see reliable names that may carry
other information describing the netdev. For e.g., they can infer that
"ens3nsby" is a standby slave of "ens3", while for a
name like "eth0" they can't tell which master it belongs to.
Historically the name of IFF_UP interface can't be changed because
there might be admin script or management software that is already
relying on such behavior and assumes that the slave name can't be
changed once UP. But failover is special: with the in-kernel
auto-enslavement mechanism, the userspace expectation for device
enumeration and bring-up order is already broken. Previously initramfs
and various userspace config tools were modified to bypass failover
slaves because of auto-enslavement and duplicate MAC address. Similarly,
in case that users care about seeing reliable slave name, the new type
of failover slaves needs to be taken care of specifically in userspace
anyway.
It's less risky to lift up the rename restriction on failover slave
which is already UP. Although it's possible this change may potentially
break userspace component (most likely configuration scripts or
management software) that assumes slave name can't be changed while
UP, it's relatively a limited and controllable set among all userspace
components, which can be fixed specifically to listen for the rename
events on failover slaves. Userspace component interacting with slaves
is expected to be changed to operate on failover master interface
instead, as the failover slave is dynamic in nature which may come and
go at any point. The goal is to make the role of failover slaves less
relevant, and userspace components should only deal with failover master
in the long run.
Fixes:
30c8bd5aa8b2 ("net: Introduce generic failover module")
Signed-off-by: Si-Wei Liu <si-wei.liu@oracle.com>
Reviewed-by: Liran Alon <liran.alon@oracle.com>
Acked-by: Sridhar Samudrala <sridhar.samudrala@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Sabrina Dubroca [Fri, 12 Apr 2019 13:04:10 +0000 (15:04 +0200)]
bonding: fix event handling for stacked bonds
[ Upstream commit
92480b3977fd3884649d404cbbaf839b70035699 ]
When a bond is enslaved to another bond, bond_netdev_event() only
handles the event as if the bond is a master, and skips treating the
bond as a slave.
This leads to a refcount leak on the slave, since we don't remove the
adjacency to its master and the master holds a reference on the slave.
Reproducer:
ip link add bondL type bond
ip link add bondU type bond
ip link set bondL master bondU
ip link del bondL
No "Fixes:" tag, this code is older than git history.
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman [Sat, 20 Apr 2019 07:16:05 +0000 (09:16 +0200)]
Linux 4.19.36
Arnd Bergmann [Wed, 6 Mar 2019 10:52:36 +0000 (11:52 +0100)]
appletalk: Fix compile regression
[ Upstream commit
27da0d2ef998e222a876c0cec72aa7829a626266 ]
A bugfix just broke compilation of appletalk when CONFIG_SYSCTL
is disabled:
In file included from net/appletalk/ddp.c:65:
net/appletalk/ddp.c: In function 'atalk_init':
include/linux/atalk.h:164:34: error: expected expression before 'do'
#define atalk_register_sysctl() do { } while(0)
^~
net/appletalk/ddp.c:1934:7: note: in expansion of macro 'atalk_register_sysctl'
rc = atalk_register_sysctl();
This is easier to avoid by using conventional inline functions
as stubs rather than macros. The header already has inline
functions for other purposes, so I'm changing over all the
macros for consistency.
Fixes:
6377f787aeb9 ("appletalk: Fix use-after-free in atalk_proc_exit")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Konstantin Khlebnikov [Tue, 9 Apr 2019 17:05:43 +0000 (20:05 +0300)]
mm: hide incomplete nr_indirectly_reclaimable in sysfs
In upstream branch this fixed by commit
b29940c1abd7 ("mm: rename and
change semantics of nr_indirectly_reclaimable_bytes").
This fixes /sys/devices/system/node/node*/vmstat format:
...
nr_dirtied 6613155
nr_written 5796802
11089216
...
Cc: <stable@vger.kernel.org> # 4.19.y
Fixes:
7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in /proc/vmstat")
Signed-off-by: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
Cc: Roman Gushchin <guro@fb.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Roman Gushchin [Tue, 30 Oct 2018 17:48:25 +0000 (17:48 +0000)]
mm: hide incomplete nr_indirectly_reclaimable in /proc/zoneinfo
[fixed differently upstream, this is a work-around to resolve it for 4.19.y]
Yongqin reported that /proc/zoneinfo format is broken in 4.14
due to commit
7aaf77272358 ("mm: don't show nr_indirectly_reclaimable
in /proc/vmstat")
Node 0, zone DMA
per-node stats
nr_inactive_anon 403
nr_active_anon 89123
nr_inactive_file 128887
nr_active_file 47377
nr_unevictable 2053
nr_slab_reclaimable 7510
nr_slab_unreclaimable 10775
nr_isolated_anon 0
nr_isolated_file 0
<...>
nr_vmscan_write 0
nr_vmscan_immediate_reclaim 0
nr_dirtied 6022
nr_written 5985
74240
^^^^^^^^^^
pages free 131656
The problem is caused by the nr_indirectly_reclaimable counter,
which is hidden from the /proc/vmstat, but not from the
/proc/zoneinfo. Let's fix this inconsistency and hide the
counter from /proc/zoneinfo exactly as from /proc/vmstat.
BTW, in 4.19+ the counter has been renamed and exported by
the commit
b29940c1abd7 ("mm: rename and change semantics of
nr_indirectly_reclaimable_bytes"), so there is no such a problem
anymore.
Cc: <stable@vger.kernel.org> # 4.14.x-4.18.x
Fixes:
7aaf77272358 ("mm: don't show nr_indirectly_reclaimable in /proc/vmstat")
Reported-by: Yongqin Liu <yongqin.liu@linaro.org>
Signed-off-by: Roman Gushchin <guro@fb.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Kaike Wan [Mon, 18 Mar 2019 16:55:19 +0000 (09:55 -0700)]
IB/hfi1: Failed to drain send queue when QP is put into error state
commit
662d66466637862ef955f7f6e78a286d8cf0ebef upstream.
When a QP is put into error state, all pending requests in the send work
queue should be drained. The following sequence of events could lead to a
failure, causing a request to hang:
(1) The QP builds a packet and tries to send through SDMA engine.
However, PIO engine is still busy. Consequently, this packet is put on
the QP's tx list and the QP is put on the PIO waiting list. The field
qp->s_flags is set with HFI1_S_WAIT_PIO_DRAIN;
(2) The QP is put into error state by the user application and
notify_error_qp() is called, which removes the QP from the PIO waiting
list and the packet from the QP's tx list. In addition, qp->s_flags is
cleared of RVT_S_ANY_WAIT_IO bits, which does not include
HFI1_S_WAIT_PIO_DRAIN bit;
(3) The hfi1_schdule_send() function is called to drain the QP's send
queue. Subsequently, hfi1_do_send() is called. Since the flag bit
HFI1_S_WAIT_PIO_DRAIN is set in qp->s_flags, hfi1_send_ok() fails. As
a result, hfi1_do_send() bails out without draining any request from
the send queue;
(4) The PIO engine completes the sending and tries to wake up any QP on
its waiting list. But the QP has been removed from the PIO waiting
list and therefore is kept in sleep forever.
The fix is to clear qp->s_flags of HFI1_S_ANY_WAIT_IO bits in step (2).
HFI1_S_ANY_WAIT_IO includes RVT_S_ANY_WAIT_IO and HFI1_S_WAIT_PIO_DRAIN.
Fixes:
2e2ba09e48b7 ("IB/rdmavt, IB/hfi1: Create device dependent s_flags")
Cc: <stable@vger.kernel.org> # 4.19.x+
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Kaike Wan <kaike.wan@intel.com>
Signed-off-by: Dennis Dalessandro <dennis.dalessandro@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Daniel Borkmann [Mon, 25 Mar 2019 14:54:43 +0000 (15:54 +0100)]
bpf: fix use after free in bpf_evict_inode
[ Upstream commit
1da6c4d9140cb7c13e87667dc4e1488d6c8fc10f ]
syzkaller was able to generate the following UAF in bpf:
BUG: KASAN: use-after-free in lookup_last fs/namei.c:2269 [inline]
BUG: KASAN: use-after-free in path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318
Read of size 1 at addr
ffff8801c4865c47 by task syz-executor2/9423
CPU: 0 PID: 9423 Comm: syz-executor2 Not tainted 4.20.0-rc1-next-
20181109+
#110
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
lookup_last fs/namei.c:2269 [inline]
path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318
filename_lookup+0x26a/0x520 fs/namei.c:2348
user_path_at_empty+0x40/0x50 fs/namei.c:2608
user_path include/linux/namei.h:62 [inline]
do_mount+0x180/0x1ff0 fs/namespace.c:2980
ksys_mount+0x12d/0x140 fs/namespace.c:3258
__do_sys_mount fs/namespace.c:3272 [inline]
__se_sys_mount fs/namespace.c:3269 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3269
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007fde6ed96c78 EFLAGS:
00000246 ORIG_RAX:
00000000000000a5
RAX:
ffffffffffffffda RBX:
0000000000000005 RCX:
0000000000457569
RDX:
0000000020000040 RSI:
0000000020000000 RDI:
0000000000000000
RBP:
000000000072bf00 R08:
0000000020000340 R09:
0000000000000000
R10:
0000000000200000 R11:
0000000000000246 R12:
00007fde6ed976d4
R13:
00000000004c2c24 R14:
00000000004d4990 R15:
00000000ffffffff
Allocated by task 9424:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
__do_kmalloc mm/slab.c:3722 [inline]
__kmalloc_track_caller+0x157/0x760 mm/slab.c:3737
kstrdup+0x39/0x70 mm/util.c:49
bpf_symlink+0x26/0x140 kernel/bpf/inode.c:356
vfs_symlink+0x37a/0x5d0 fs/namei.c:4127
do_symlinkat+0x242/0x2d0 fs/namei.c:4154
__do_sys_symlink fs/namei.c:4173 [inline]
__se_sys_symlink fs/namei.c:4171 [inline]
__x64_sys_symlink+0x59/0x80 fs/namei.c:4171
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9425:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817
bpf_evict_inode+0x11f/0x150 kernel/bpf/inode.c:565
evict+0x4b9/0x980 fs/inode.c:558
iput_final fs/inode.c:1550 [inline]
iput+0x674/0xa90 fs/inode.c:1576
do_unlinkat+0x733/0xa30 fs/namei.c:4069
__do_sys_unlink fs/namei.c:4110 [inline]
__se_sys_unlink fs/namei.c:4108 [inline]
__x64_sys_unlink+0x42/0x50 fs/namei.c:4108
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
In this scenario path lookup under RCU is racing with the final
unlink in case of symlinks. As Linus puts it in his analysis:
[...] We actually RCU-delay the inode freeing itself, but
when we do the final iput(), the "evict()" function is called
synchronously. Now, the simple fix would seem to just RCU-delay
the kfree() of the symlink data in bpf_evict_inode(). Maybe
that's the right thing to do. [...]
Al suggested to piggy-back on the ->destroy_inode() callback in
order to implement RCU deferral there which can then kfree() the
inode->i_link eventually right before putting inode back into
inode cache. By reusing free_inode_nonrcu() from there we can
avoid the need for our own inode cache and just reuse generic
one as we currently do.
And in-fact on top of all this we should just get rid of the
bpf_evict_inode() entirely. This means truncate_inode_pages_final()
and clear_inode() will then simply be called by the fs core via
evict(). Dropping the reference should really only be done when
inode is unhashed and nothing reachable anymore, so it's better
also moved into the final ->destroy_inode() callback.
Fixes:
0f98621bef5d ("bpf, inode: add support for symlinks and fix mtime/ctime")
Reported-by: syzbot+fb731ca573367b7f6564@syzkaller.appspotmail.com
Reported-by: syzbot+a13e5ead792d6df37818@syzkaller.appspotmail.com
Reported-by: syzbot+7a8ba368b47fdefca61e@syzkaller.appspotmail.com
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/lkml/0000000000006946d2057bbd0eef@google.com/T/
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
Pi-Hsun Shih [Wed, 13 Mar 2019 18:44:33 +0000 (11:44 -0700)]
include/linux/swap.h: use offsetof() instead of custom __swapoffset macro
[ Upstream commit
a4046c06be50a4f01d435aa7fe57514818e6cc82 ]
Use offsetof() to calculate offset of a field to take advantage of
compiler built-in version when possible, and avoid UBSAN warning when
compiling with Clang:
UBSAN: Undefined behaviour in mm/swapfile.c:3010:38
member access within null pointer of type 'union swap_header'
CPU: 6 PID: 1833 Comm: swapon Tainted: G S 4.19.23 #43
Call trace:
dump_backtrace+0x0/0x194
show_stack+0x20/0x2c
__dump_stack+0x20/0x28
dump_stack+0x70/0x94
ubsan_epilogue+0x14/0x44
ubsan_type_mismatch_common+0xf4/0xfc
__ubsan_handle_type_mismatch_v1+0x34/0x54
__se_sys_swapon+0x654/0x1084
__arm64_sys_swapon+0x1c/0x24
el0_svc_common+0xa8/0x150
el0_svc_compat_handler+0x2c/0x38
el0_svc_compat+0x8/0x18
Link: http://lkml.kernel.org/r/20190312081902.223764-1-pihsun@chromium.org
Signed-off-by: Pi-Hsun Shih <pihsun@chromium.org>
Acked-by: Michal Hocko <mhocko@suse.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Chao Yu [Sat, 23 Feb 2019 01:48:27 +0000 (09:48 +0800)]
f2fs: fix to dirty inode for i_mode recovery
[ Upstream commit
ca597bddedd94906cd761d8be6a3ad21292725de ]
As Seulbae Kim reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=202637
We didn't recover permission field correctly after sudden power-cut,
the reason is in setattr we didn't add inode into global dirty list
once i_mode is changed, so latter checkpoint triggered by fsync will
not flush last i_mode into disk, result in this problem, fix it.
Reported-by: Seulbae Kim <seulbae@gatech.edu>
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
David Howells [Fri, 8 Mar 2019 12:48:39 +0000 (12:48 +0000)]
rxrpc: Fix client call connect/disconnect race
[ Upstream commit
930c9f9125c85b5134b3e711bc252ecc094708e3 ]
rxrpc_disconnect_client_call() reads the call's connection ID protocol
value (call->cid) as part of that function's variable declarations. This
is bad because it's not inside the locked section and so may race with
someone granting use of the channel to the call.
This manifests as an assertion failure (see below) where the call in the
presumed channel (0 because call->cid wasn't set when we read it) doesn't
match the call attached to the channel we were actually granted (if 1, 2 or
3).
Fix this by moving the read and dependent calculations inside of the
channel_lock section. Also, only set the channel number and pointer
variables if cid is not zero (ie. unset).
This problem can be induced by injecting an occasional error in
rxrpc_wait_for_channel() before the call to schedule().
Make two further changes also:
(1) Add a trace for wait failure in rxrpc_connect_call().
(2) Drop channel_lock before BUG'ing in the case of the assertion failure.
The failure causes a trace akin to the following:
rxrpc: Assertion failed -
18446612685268945920(0xffff8880beab8c00) ==
18446612685268621312(0xffff8880bea69800) is false
------------[ cut here ]------------
kernel BUG at net/rxrpc/conn_client.c:824!
...
RIP: 0010:rxrpc_disconnect_client_call+0x2bf/0x99d
...
Call Trace:
rxrpc_connect_call+0x902/0x9b3
? wake_up_q+0x54/0x54
rxrpc_new_client_call+0x3a0/0x751
? rxrpc_kernel_begin_call+0x141/0x1bc
? afs_alloc_call+0x1b5/0x1b5
rxrpc_kernel_begin_call+0x141/0x1bc
afs_make_call+0x20c/0x525
? afs_alloc_call+0x1b5/0x1b5
? __lock_is_held+0x40/0x71
? lockdep_init_map+0xaf/0x193
? lockdep_init_map+0xaf/0x193
? __lock_is_held+0x40/0x71
? yfs_fs_fetch_data+0x33b/0x34a
yfs_fs_fetch_data+0x33b/0x34a
afs_fetch_data+0xdc/0x3b7
afs_read_dir+0x52d/0x97f
afs_dir_iterate+0xa0/0x661
? iterate_dir+0x63/0x141
iterate_dir+0xa2/0x141
ksys_getdents64+0x9f/0x11b
? filldir+0x111/0x111
? do_syscall_64+0x3e/0x1a0
__x64_sys_getdents64+0x16/0x19
do_syscall_64+0x7d/0x1a0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes:
45025bceef17 ("rxrpc: Improve management and caching of client connection objects")
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Stanislaw Gruszka [Fri, 8 Mar 2019 00:28:18 +0000 (16:28 -0800)]
lib/div64.c: off by one in shift
[ Upstream commit
cdc94a37493135e355dfc0b0e086d84e3eadb50d ]
fls counts bits starting from 1 to 32 (returns 0 for zero argument). If
we add 1 we shift right one bit more and loose precision from divisor,
what cause function incorect results with some numbers.
Corrected code was tested in user-space, see bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=202391
Link: http://lkml.kernel.org/r/1548686944-11891-1-git-send-email-sgruszka@redhat.com
Fixes:
658716d19f8f ("div64_u64(): improve precision on 32bit platforms")
Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
Reported-by: Siarhei Volkau <lis8215@gmail.com>
Tested-by: Siarhei Volkau <lis8215@gmail.com>
Acked-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
YueHaibing [Fri, 1 Mar 2019 02:57:57 +0000 (10:57 +0800)]
appletalk: Fix use-after-free in atalk_proc_exit
[ Upstream commit
6377f787aeb945cae7abbb6474798de129e1f3ac ]
KASAN report this:
BUG: KASAN: use-after-free in pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
Read of size 8 at addr
ffff8881f41fe5b0 by task syz-executor.0/2806
CPU: 0 PID: 2806 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0xfa/0x1ce lib/dump_stack.c:113
print_address_description+0x65/0x270 mm/kasan/report.c:187
kasan_report+0x149/0x18d mm/kasan/report.c:317
pde_subdir_find+0x12d/0x150 fs/proc/generic.c:71
remove_proc_entry+0xe8/0x420 fs/proc/generic.c:667
atalk_proc_exit+0x18/0x820 [appletalk]
atalk_exit+0xf/0x5a [appletalk]
__do_sys_delete_module kernel/module.c:1018 [inline]
__se_sys_delete_module kernel/module.c:961 [inline]
__x64_sys_delete_module+0x3dc/0x5e0 kernel/module.c:961
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x462e99
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:
00007fb2de6b9c58 EFLAGS:
00000246 ORIG_RAX:
00000000000000b0
RAX:
ffffffffffffffda RBX:
000000000073bf00 RCX:
0000000000462e99
RDX:
0000000000000000 RSI:
0000000000000000 RDI:
00000000200001c0
RBP:
0000000000000002 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000000 R11:
0000000000000246 R12:
00007fb2de6ba6bc
R13:
00000000004bccaa R14:
00000000006f6bc8 R15:
00000000ffffffff
Allocated by task 2806:
set_track mm/kasan/common.c:85 [inline]
__kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:496
slab_post_alloc_hook mm/slab.h:444 [inline]
slab_alloc_node mm/slub.c:2739 [inline]
slab_alloc mm/slub.c:2747 [inline]
kmem_cache_alloc+0xcf/0x250 mm/slub.c:2752
kmem_cache_zalloc include/linux/slab.h:730 [inline]
__proc_create+0x30f/0xa20 fs/proc/generic.c:408
proc_mkdir_data+0x47/0x190 fs/proc/generic.c:469
0xffffffffc10c01bb
0xffffffffc10c0166
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 2806:
set_track mm/kasan/common.c:85 [inline]
__kasan_slab_free+0x130/0x180 mm/kasan/common.c:458
slab_free_hook mm/slub.c:1409 [inline]
slab_free_freelist_hook mm/slub.c:1436 [inline]
slab_free mm/slub.c:2986 [inline]
kmem_cache_free+0xa6/0x2a0 mm/slub.c:3002
pde_put+0x6e/0x80 fs/proc/generic.c:647
remove_proc_entry+0x1d3/0x420 fs/proc/generic.c:684
0xffffffffc10c031c
0xffffffffc10c0166
do_one_initcall+0xfa/0x5ca init/main.c:887
do_init_module+0x204/0x5f6 kernel/module.c:3460
load_module+0x66b2/0x8570 kernel/module.c:3808
__do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at
ffff8881f41fe500
which belongs to the cache proc_dir_entry of size 256
The buggy address is located 176 bytes inside of
256-byte region [
ffff8881f41fe500,
ffff8881f41fe600)
The buggy address belongs to the page:
page:
ffffea0007d07f80 count:1 mapcount:0 mapping:
ffff8881f6e69a00 index:0x0
flags: 0x2fffc0000000200(slab)
raw:
02fffc0000000200 dead000000000100 dead000000000200 ffff8881f6e69a00
raw:
0000000000000000 00000000800c000c 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8881f41fe480: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff8881f41fe500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>
ffff8881f41fe580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8881f41fe600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
ffff8881f41fe680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
It should check the return value of atalk_proc_init fails,
otherwise atalk_exit will trgger use-after-free in pde_subdir_find
while unload the module.This patch fix error cleanup path of atalk_init
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kevin Wang [Fri, 22 Feb 2019 04:36:49 +0000 (12:36 +0800)]
drm/amdkfd: use init_mqd function to allocate object for hid_mqd (CI)
[ Upstream commit
cac734c2dbd2514f14c8c6a17caba1990d83bf1d ]
if use the legacy method to allocate object, when mqd_hiq need to run
uninit code, it will be cause WARNING call trace.
eg: (s3 suspend test)
[ 34.918944] Call Trace:
[ 34.918948] [<
ffffffff92961dc1>] dump_stack+0x19/0x1b
[ 34.918950] [<
ffffffff92297648>] __warn+0xd8/0x100
[ 34.918951] [<
ffffffff9229778d>] warn_slowpath_null+0x1d/0x20
[ 34.918991] [<
ffffffffc03ce1fe>] uninit_mqd_hiq_sdma+0x4e/0x50 [amdgpu]
[ 34.919028] [<
ffffffffc03d0ef7>] uninitialize+0x37/0xe0 [amdgpu]
[ 34.919064] [<
ffffffffc03d15a6>] kernel_queue_uninit+0x16/0x30 [amdgpu]
[ 34.919086] [<
ffffffffc03d26c2>] pm_uninit+0x12/0x20 [amdgpu]
[ 34.919107] [<
ffffffffc03d4915>] stop_nocpsch+0x15/0x20 [amdgpu]
[ 34.919129] [<
ffffffffc03c1dce>] kgd2kfd_suspend.part.4+0x2e/0x50 [amdgpu]
[ 34.919150] [<
ffffffffc03c2667>] kgd2kfd_suspend+0x17/0x20 [amdgpu]
[ 34.919171] [<
ffffffffc03c103a>] amdgpu_amdkfd_suspend+0x1a/0x20 [amdgpu]
[ 34.919187] [<
ffffffffc02ec428>] amdgpu_device_suspend+0x88/0x3a0 [amdgpu]
[ 34.919189] [<
ffffffff922e22cf>] ? enqueue_entity+0x2ef/0xbe0
[ 34.919205] [<
ffffffffc02e8220>] amdgpu_pmops_suspend+0x20/0x30 [amdgpu]
[ 34.919207] [<
ffffffff925c56ff>] pci_pm_suspend+0x6f/0x150
[ 34.919208] [<
ffffffff925c5690>] ? pci_pm_freeze+0xf0/0xf0
[ 34.919210] [<
ffffffff926b45c6>] dpm_run_callback+0x46/0x90
[ 34.919212] [<
ffffffff926b49db>] __device_suspend+0xfb/0x2a0
[ 34.919213] [<
ffffffff926b4b9f>] async_suspend+0x1f/0xa0
[ 34.919214] [<
ffffffff922c918f>] async_run_entry_fn+0x3f/0x130
[ 34.919216] [<
ffffffff922b9d4f>] process_one_work+0x17f/0x440
[ 34.919217] [<
ffffffff922bade6>] worker_thread+0x126/0x3c0
[ 34.919218] [<
ffffffff922bacc0>] ? manage_workers.isra.25+0x2a0/0x2a0
[ 34.919220] [<
ffffffff922c1c31>] kthread+0xd1/0xe0
[ 34.919221] [<
ffffffff922c1b60>] ? insert_kthread_work+0x40/0x40
[ 34.919222] [<
ffffffff92974c1d>] ret_from_fork_nospec_begin+0x7/0x21
[ 34.919224] [<
ffffffff922c1b60>] ? insert_kthread_work+0x40/0x40
[ 34.919224] ---[ end trace
38cd9f65c963adad ]---
Signed-off-by: Kevin Wang <kevin1.wang@amd.com>
Reviewed-by: Oak Zeng <Oak.Zeng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yang Shi [Wed, 13 Feb 2019 16:14:23 +0000 (17:14 +0100)]
ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
[ Upstream commit
143c2a89e0e5fda6c6fd08d7bc1126438c19ae90 ]
When running kprobe on -rt kernel, the below bug is caught:
|BUG: sleeping function called from invalid context at kernel/locking/rtmutex.c:931
|in_atomic(): 1, irqs_disabled(): 128, pid: 14, name: migration/0
|Preemption disabled at:[<
802f2b98>] cpu_stopper_thread+0xc0/0x140
|CPU: 0 PID: 14 Comm: migration/0 Tainted: G O 4.8.3-rt2 #1
|Hardware name: Freescale LS1021A
|[<
8025a43c>] (___might_sleep)
|[<
80b5b324>] (rt_spin_lock)
|[<
80b5c31c>] (__patch_text_real)
|[<
80b5c3ac>] (patch_text_stop_machine)
|[<
802f2920>] (multi_cpu_stop)
Since patch_text_stop_machine() is called in stop_machine() which
disables IRQ, sleepable lock should be not used in this atomic context,
so replace patch_lock to raw lock.
Signed-off-by: Yang Shi <yang.shi@linaro.org>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ilia Mirkin [Sun, 13 Jan 2019 22:50:10 +0000 (17:50 -0500)]
drm/nouveau/volt/gf117: fix speedo readout register
[ Upstream commit
fc782242749fa4235592854fafe1a1297583c1fb ]
GF117 appears to use the same register as GK104 (but still with the
general Fermi readout mechanism).
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=108980
Signed-off-by: Ilia Mirkin <imirkin@alum.mit.edu>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Mika Westerberg [Thu, 31 Jan 2019 16:38:56 +0000 (19:38 +0300)]
PCI: Blacklist power management of Gigabyte X299 DESIGNARE EX PCIe ports
[ Upstream commit
85b0cae89d5266e6a7abb2e83c6f716326fc494c ]
Gigabyte X299 DESIGNARE EX motherboard has one PCIe root port that is
connected to an Alpine Ridge Thunderbolt controller. This port has slot
implemented bit set in the config space but other than that it is not
hotplug capable in the sense we are expecting in Linux (it has
dev->is_hotplug_bridge set to 0):
00:1c.4 PCI bridge: Intel Corporation 200 Series PCH PCI Express Root Port #5
Bus: primary=00, secondary=05, subordinate=46, sec-latency=0
Memory behind bridge:
78000000-
8fffffff [size=384M]
Prefetchable memory behind bridge:
00003800f8000000-
00003800ffffffff [size=128M]
...
Capabilities: [40] Express (v2) Root Port (Slot+), MSI 00
...
SltCap: AttnBtn- PwrCtrl- MRL- AttnInd- PwrInd- HotPlug- Surprise-
Slot #8, PowerLimit 25.000W; Interlock- NoCompl+
SltCtl: Enable: AttnBtn- PwrFlt- MRL- PresDet- CmdCplt- HPIrq- LinkChg-
Control: AttnInd Unknown, PwrInd Unknown, Power- Interlock-
SltSta: Status: AttnBtn- PowerFlt- MRL- CmdCplt- PresDet- Interlock-
Changed: MRL- PresDet+ LinkState+
This system is using ACPI based hotplug to notify the OS that it needs to
rescan the PCI bus (ACPI hotplug).
If there is nothing connected in any of the Thunderbolt ports the root port
will not have any runtime PM active children and is thus automatically
runtime suspended pretty soon after boot by PCI PM core. Now, when a
device is connected the BIOS SMI handler responsible for enumerating newly
added devices is not able to find anything because the port is in D3.
Prevent this from happening by blacklisting PCI power management of this
particular Gigabyte system.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=202031
Reported-by: Kedar A Dongre <kedar.a.dongre@intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Leo Yan [Tue, 5 Feb 2019 23:24:53 +0000 (16:24 -0700)]
coresight: cpu-debug: Support for CA73 CPUs
[ Upstream commit
a0f890aba2be33377f4eb24e13633c4a76a68f38 ]
This patch is to add the AMBA device ID for CA73 CPU, so that CPU debug
module can be initialized successfully when a SoC contain CA73 CPUs.
This patch has been verified on 96boards Hikey960.
Signed-off-by: Leo Yan <leo.yan@linaro.org>
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Zhang Rui [Fri, 1 Feb 2019 06:13:41 +0000 (14:13 +0800)]
Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk"
[ Upstream commit
b6a3e1475b0220378ad32bdf4d8692f058b1fc03 ]
On some Samsung hardware, it is necessary to clear events accumulated by
the EC during sleep. These ECs stop reporting GPEs until they are manually
polled, if too many events are accumulated.
Thus the CLEAR_ON_RESUME quirk is introduced to send EC query commands
unconditionally after resume to clear all the EC query events on those
platforms.
Later, commit
4c237371f290 ("ACPI / EC: Remove old CLEAR_ON_RESUME quirk")
removes the CLEAR_ON_RESUME quirk because we thought the new EC IRQ
polling logic should handle this case.
Now it has been proved that the EC IRQ Polling logic does not fix the
issue actually because we got regression report on these Samsung
platforms after removing the quirk.
Thus revert commit
4c237371f290 ("ACPI / EC: Remove old CLEAR_ON_RESUME
quirk") to introduce back the Samsung quirk in this patch.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=44161
Tested-by: Ortwin Glück <odi@odi.ch>
Tested-by: Francisco Cribari <cribari@gmail.com>
Tested-by: Balazs Varga <balazs4web@gmail.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Lars Persson [Wed, 23 Jan 2019 11:59:42 +0000 (12:59 +0100)]
crypto: axis - fix for recursive locking from bottom half
[ Upstream commit
c34a83820f59bb275e5f2d55cd5ea99c64f6ef23 ]
Clients may submit a new requests from the completion callback
context. The driver was not prepared to receive a request in this
state because it already held the request queue lock and a recursive
lock error is triggered.
Now all completions are queued up until we are ready to drop the queue
lock and then delivered.
The fault was triggered by TCP over an IPsec connection in the LTP
test suite:
LTP: starting tcp4_ipsec02 (tcp_ipsec.sh -p ah -m transport -s "100 1000 65535")
BUG: spinlock recursion on CPU#1, genload/943
lock: 0xbf3c3094, .magic:
dead4ead, .owner: genload/943, .owner_cpu: 1
CPU: 1 PID: 943 Comm: genload Tainted: G O 4.9.62-axis5-devel #6
Hardware name: Axis ARTPEC-6 Platform
(unwind_backtrace) from [<
8010d134>] (show_stack+0x18/0x1c)
(show_stack) from [<
803a289c>] (dump_stack+0x84/0x98)
(dump_stack) from [<
8016e164>] (do_raw_spin_lock+0x124/0x128)
(do_raw_spin_lock) from [<
804de1a4>] (artpec6_crypto_submit+0x2c/0xa0)
(artpec6_crypto_submit) from [<
804def38>] (artpec6_crypto_prepare_submit_hash+0xd0/0x54c)
(artpec6_crypto_prepare_submit_hash) from [<
7f3165f0>] (ah_output+0x2a4/0x3dc [ah4])
(ah_output [ah4]) from [<
805df9bc>] (xfrm_output_resume+0x178/0x4a4)
(xfrm_output_resume) from [<
805d283c>] (xfrm4_output+0xac/0xbc)
(xfrm4_output) from [<
80587928>] (ip_queue_xmit+0x140/0x3b4)
(ip_queue_xmit) from [<
805a13b4>] (tcp_transmit_skb+0x4c4/0x95c)
(tcp_transmit_skb) from [<
8059f218>] (tcp_rcv_state_process+0xdf4/0xdfc)
(tcp_rcv_state_process) from [<
805a7530>] (tcp_v4_do_rcv+0x64/0x1ac)
(tcp_v4_do_rcv) from [<
805a9724>] (tcp_v4_rcv+0xa34/0xb74)
(tcp_v4_rcv) from [<
80581d34>] (ip_local_deliver_finish+0x78/0x2b0)
(ip_local_deliver_finish) from [<
8058259c>] (ip_local_deliver+0xe4/0x104)
(ip_local_deliver) from [<
805d23ec>] (xfrm4_transport_finish+0xf4/0x144)
(xfrm4_transport_finish) from [<
805df564>] (xfrm_input+0x4f4/0x74c)
(xfrm_input) from [<
804de420>] (artpec6_crypto_task+0x208/0x38c)
(artpec6_crypto_task) from [<
801271b0>] (tasklet_action+0x60/0xec)
(tasklet_action) from [<
801266d4>] (__do_softirq+0xcc/0x3a4)
(__do_softirq) from [<
80126d20>] (irq_exit+0xf4/0x15c)
(irq_exit) from [<
801741e8>] (__handle_domain_irq+0x68/0xbc)
(__handle_domain_irq) from [<
801014f0>] (gic_handle_irq+0x50/0x94)
(gic_handle_irq) from [<
80657370>] (__irq_usr+0x50/0x80)
Signed-off-by: Lars Persson <larper@axis.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hsin-Yi, Wang [Wed, 9 Jan 2019 06:59:22 +0000 (14:59 +0800)]
drm/panel: panel-innolux: set display off in innolux_panel_unprepare
[ Upstream commit
46f3ceaffa81e846677bca8668e0ad40e643cffd ]
Move mipi_dsi_dcs_set_display_off() from innolux_panel_disable()
to innolux_panel_unprepare(), so they are consistent with
innolux_panel_enable() and innolux_panel_prepare().
This also fixes some mode check and irq timeout issue in MTK dsi code.
Since some dsi code (e.g. mtk_dsi) have following call trace:
1. drm_panel_disable(), which calls innolux_panel_disable()
2. switch to cmd mode
3. drm_panel_unprepare(), which calls innolux_panel_unprepare()
However, mtk_dsi needs to be in cmd mode to be able to send commands
(e.g. mipi_dsi_dcs_set_display_off() and mipi_dsi_dcs_enter_sleep_mode()),
so we need these functions to be called after the switch to cmd mode happens,
i.e. in innolux_panel_unprepare.
Signed-off-by: Hsin-Yi, Wang <hsinyi@chromium.org>
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20190109065922.231753-1-hsinyi@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christophe Leroy [Fri, 14 Dec 2018 15:26:20 +0000 (15:26 +0000)]
lkdtm: Add tests for NULL pointer dereference
[ Upstream commit
59a12205d3c32aee4c13ca36889fdf7cfed31126 ]
Introduce lkdtm tests for NULL pointer dereference: check access or exec
at NULL address, since these errors tend to be reported differently from
the general fault error text. For example from x86:
pr_alert("BUG: unable to handle kernel %s at %px\n",
address < PAGE_SIZE ? "NULL pointer dereference" : "paging request",
(void *)address);
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Christophe Leroy [Wed, 7 Nov 2018 20:14:10 +0000 (20:14 +0000)]
lkdtm: Print real addresses
[ Upstream commit
4c411157a42f122051ae3469bee0b5cabe89e139 ]
Today, when doing a lkdtm test before the readiness of the
random generator, (ptrval) is printed instead of the address
at which it perform the fault:
[ 1597.337030] lkdtm: Performing direct entry EXEC_USERSPACE
[ 1597.337142] lkdtm: attempting ok execution at (ptrval)
[ 1597.337398] lkdtm: attempting bad execution at (ptrval)
[ 1597.337460] kernel tried to execute user page (
77858000) -exploit attempt? (uid: 0)
[ 1597.344769] Unable to handle kernel paging request for instruction fetch
[ 1597.351392] Faulting instruction address: 0x77858000
[ 1597.356312] Oops: Kernel access of bad area, sig: 11 [#1]
If the lkdtm test is done later on, it prints an hashed address.
In both cases this is pointless. The purpose of the test is to
ensure the kernel generates an Oops at the expected address,
so real addresses needs to be printed. This patch fixes that.
Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dmitry Osipenko [Sun, 21 Oct 2018 18:36:14 +0000 (21:36 +0300)]
soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()
[ Upstream commit
b6e1fd17a38bd1d97c11d69fd3207b3ef9bfa4b3 ]
This fixes splats like the one below if CONFIG_DEBUG_ATOMIC_SLEEP=y
and machine (Tegra30) booted with SMP=n or all secondary CPU's are put
offline. Locking isn't needed because it protects atomic operation.
BUG: sleeping function called from invalid context at kernel/locking/mutex.c:254
in_atomic(): 1, irqs_disabled(): 128, pid: 0, name: swapper/0
CPU: 0 PID: 0 Comm: swapper/0 Tainted: G C 4.18.0-next-
20180821-00180-gc3ebb6544e44-dirty #823
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
[<
c01134f4>] (unwind_backtrace) from [<
c010db2c>] (show_stack+0x20/0x24)
[<
c010db2c>] (show_stack) from [<
c0bd0f3c>] (dump_stack+0x94/0xa8)
[<
c0bd0f3c>] (dump_stack) from [<
c0151df8>] (___might_sleep+0x13c/0x174)
[<
c0151df8>] (___might_sleep) from [<
c0151ea0>] (__might_sleep+0x70/0xa8)
[<
c0151ea0>] (__might_sleep) from [<
c0bec2b8>] (mutex_lock+0x2c/0x70)
[<
c0bec2b8>] (mutex_lock) from [<
c0589844>] (tegra_powergate_is_powered+0x44/0xa8)
[<
c0589844>] (tegra_powergate_is_powered) from [<
c0581a60>] (tegra30_cpu_rail_off_ready+0x30/0x74)
[<
c0581a60>] (tegra30_cpu_rail_off_ready) from [<
c0122244>] (tegra30_idle_lp2+0xa0/0x108)
[<
c0122244>] (tegra30_idle_lp2) from [<
c0853438>] (cpuidle_enter_state+0x140/0x540)
[<
c0853438>] (cpuidle_enter_state) from [<
c08538a4>] (cpuidle_enter+0x40/0x4c)
[<
c08538a4>] (cpuidle_enter) from [<
c01595e0>] (call_cpuidle+0x30/0x48)
[<
c01595e0>] (call_cpuidle) from [<
c01599f8>] (do_idle+0x238/0x28c)
[<
c01599f8>] (do_idle) from [<
c0159d28>] (cpu_startup_entry+0x28/0x2c)
[<
c0159d28>] (cpu_startup_entry) from [<
c0be76c8>] (rest_init+0xd8/0xdc)
[<
c0be76c8>] (rest_init) from [<
c1200f50>] (start_kernel+0x41c/0x430)
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Acked-by: Jon Hunter <jonathanh@nvidia.com>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bart Van Assche [Wed, 27 Feb 2019 00:35:26 +0000 (16:35 -0800)]
scsi: core: Avoid that system resume triggers a kernel warning
[ Upstream commit
388b4e6a00bb3097278ed1648ac5a1cb48c894e6 ]
scsi_device_quiesce() and scsi_device_resume() are called during
system-wide suspend and resume. scsi_device_quiesce() only succeeds for
SCSI devices that are in one of the RUNNING, OFFLINE or TRANSPORT_OFFLINE
states (see also scsi_set_device_state()). This patch avoids that the
following warning is triggered when resuming a system for which quiescing a
SCSI device failed:
WARNING: CPU: 2 PID: 11303 at drivers/scsi/scsi_lib.c:2600 scsi_device_resume+0x4f/0x58
CPU: 2 PID: 11303 Comm: kworker/u8:70 Not tainted 5.0.0-rc1+ #50
Hardware name: LENOVO 80E3/Lancer 5B2, BIOS A2CN45WW(V2.13) 08/04/2016
Workqueue: events_unbound async_run_entry_fn
Call Trace:
scsi_dev_type_resume+0x2e/0x60
async_run_entry_fn+0x32/0xd8
process_one_work+0x1f4/0x420
worker_thread+0x28/0x3c0
kthread+0x118/0x130
ret_from_fork+0x22/0x40
Cc: Przemek Socha <soprwa@gmail.com>
Reported-by: Przemek Socha <soprwa@gmail.com>
Fixes:
3a0a529971ec ("block, scsi: Make SCSI quiesce and resume work reliably") # v4.15
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Julia Cartwright [Wed, 20 Feb 2019 16:46:31 +0000 (16:46 +0000)]
iommu/dmar: Fix buffer overflow during PCI bus notification
[ Upstream commit
cffaaf0c816238c45cd2d06913476c83eb50f682 ]
Commit
57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI
device path") changed the type of the path data, however, the change in
path type was not reflected in size calculations. Update to use the
correct type and prevent a buffer overflow.
This bug manifests in systems with deep PCI hierarchies, and can lead to
an overflow of the static allocated buffer (dmar_pci_notify_info_buf),
or can lead to overflow of slab-allocated data.
BUG: KASAN: global-out-of-bounds in dmar_alloc_pci_notify_info+0x1d5/0x2e0
Write of size 1 at addr
ffffffff90445d80 by task swapper/0/1
CPU: 0 PID: 1 Comm: swapper/0 Tainted: G W 4.14.87-rt49-02406-gd0a0e96 #1
Call Trace:
? dump_stack+0x46/0x59
? print_address_description+0x1df/0x290
? dmar_alloc_pci_notify_info+0x1d5/0x2e0
? kasan_report+0x256/0x340
? dmar_alloc_pci_notify_info+0x1d5/0x2e0
? e820__memblock_setup+0xb0/0xb0
? dmar_dev_scope_init+0x424/0x48f
? __down_write_common+0x1ec/0x230
? dmar_dev_scope_init+0x48f/0x48f
? dmar_free_unused_resources+0x109/0x109
? cpumask_next+0x16/0x20
? __kmem_cache_create+0x392/0x430
? kmem_cache_create+0x135/0x2f0
? e820__memblock_setup+0xb0/0xb0
? intel_iommu_init+0x170/0x1848
? _raw_spin_unlock_irqrestore+0x32/0x60
? migrate_enable+0x27a/0x5b0
? sched_setattr+0x20/0x20
? migrate_disable+0x1fc/0x380
? task_rq_lock+0x170/0x170
? try_to_run_init_process+0x40/0x40
? locks_remove_file+0x85/0x2f0
? dev_prepare_static_identity_mapping+0x78/0x78
? rt_spin_unlock+0x39/0x50
? lockref_put_or_lock+0x2a/0x40
? dput+0x128/0x2f0
? __rcu_read_unlock+0x66/0x80
? __fput+0x250/0x300
? __rcu_read_lock+0x1b/0x30
? mntput_no_expire+0x38/0x290
? e820__memblock_setup+0xb0/0xb0
? pci_iommu_init+0x25/0x63
? pci_iommu_init+0x25/0x63
? do_one_initcall+0x7e/0x1c0
? initcall_blacklisted+0x120/0x120
? kernel_init_freeable+0x27b/0x307
? rest_init+0xd0/0xd0
? kernel_init+0xf/0x120
? rest_init+0xd0/0xd0
? ret_from_fork+0x1f/0x40
The buggy address belongs to the variable:
dmar_pci_notify_info_buf+0x40/0x60
Fixes:
57384592c433 ("iommu/vt-d: Store bus information in RMRR PCI device path")
Signed-off-by: Julia Cartwright <julia@ni.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Lorenzo Bianconi [Wed, 20 Feb 2019 08:23:03 +0000 (09:23 +0100)]
net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version
[ Upstream commit
efcc9bcaf77c07df01371a7c34e50424c291f3ac ]
Fix a possible NULL pointer dereference in ip6erspan_set_version checking
nlattr data pointer
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7549 Comm: syz-executor432 Not tainted 5.0.0-rc6-next-
20190218
#37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:ip6erspan_set_version+0x5c/0x350 net/ipv6/ip6_gre.c:1726
Code: 07 38 d0 7f 08 84 c0 0f 85 9f 02 00 00 49 8d bc 24 b0 00 00 00 c6 43
54 01 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
85 9a 02 00 00 4d 8b ac 24 b0 00 00 00 4d 85 ed 0f
RSP: 0018:
ffff888089ed7168 EFLAGS:
00010202
RAX:
dffffc0000000000 RBX:
ffff8880869d6e58 RCX:
0000000000000000
RDX:
0000000000000016 RSI:
ffffffff862736b4 RDI:
00000000000000b0
RBP:
ffff888089ed7180 R08:
1ffff11010d3adcb R09:
ffff8880869d6e58
R10:
ffffed1010d3add5 R11:
ffff8880869d6eaf R12:
0000000000000000
R13:
ffffffff8931f8c0 R14:
ffffffff862825d0 R15:
ffff8880869d6e58
FS:
0000000000b3d880(0000) GS:
ffff8880ae900000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000020000184 CR3:
0000000092cc5000 CR4:
00000000001406e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Call Trace:
ip6erspan_newlink+0x66/0x7b0 net/ipv6/ip6_gre.c:2210
__rtnl_newlink+0x107b/0x16c0 net/core/rtnetlink.c:3176
rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3234
rtnetlink_rcv_msg+0x465/0xb00 net/core/rtnetlink.c:5192
netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2485
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5210
netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1336
netlink_sendmsg+0x8ae/0xd70 net/netlink/af_netlink.c:1925
sock_sendmsg_nosec net/socket.c:621 [inline]
sock_sendmsg+0xdd/0x130 net/socket.c:631
___sys_sendmsg+0x806/0x930 net/socket.c:2136
__sys_sendmsg+0x105/0x1d0 net/socket.c:2174
__do_sys_sendmsg net/socket.c:2183 [inline]
__se_sys_sendmsg net/socket.c:2181 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2181
do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440159
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007fffa69156e8 EFLAGS:
00000246 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
00000000004002c8 RCX:
0000000000440159
RDX:
0000000000000000 RSI:
0000000020001340 RDI:
0000000000000003
RBP:
00000000006ca018 R08:
0000000000000001 R09:
00000000004002c8
R10:
0000000000000011 R11:
0000000000000246 R12:
00000000004019e0
R13:
0000000000401a70 R14:
0000000000000000 R15:
0000000000000000
Modules linked in:
---[ end trace
09f8a7d13b4faaa1 ]---
RIP: 0010:ip6erspan_set_version+0x5c/0x350 net/ipv6/ip6_gre.c:1726
Code: 07 38 d0 7f 08 84 c0 0f 85 9f 02 00 00 49 8d bc 24 b0 00 00 00 c6 43
54 01 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f
85 9a 02 00 00 4d 8b ac 24 b0 00 00 00 4d 85 ed 0f
RSP: 0018:
ffff888089ed7168 EFLAGS:
00010202
RAX:
dffffc0000000000 RBX:
ffff8880869d6e58 RCX:
0000000000000000
RDX:
0000000000000016 RSI:
ffffffff862736b4 RDI:
00000000000000b0
RBP:
ffff888089ed7180 R08:
1ffff11010d3adcb R09:
ffff8880869d6e58
R10:
ffffed1010d3add5 R11:
ffff8880869d6eaf R12:
0000000000000000
R13:
ffffffff8931f8c0 R14:
ffffffff862825d0 R15:
ffff8880869d6e58
FS:
0000000000b3d880(0000) GS:
ffff8880ae900000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
0000000020000184 CR3:
0000000092cc5000 CR4:
00000000001406e0
DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
Fixes:
4974d5f678ab ("net: ip6_gre: initialize erspan_ver just for erspan tunnels")
Reported-and-tested-by: syzbot+30191cf1057abd3064af@syzkaller.appspotmail.com
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ard Biesheuvel [Sat, 16 Feb 2019 13:51:26 +0000 (14:51 +0100)]
crypto: sha512/arm - fix crash bug in Thumb2 build
[ Upstream commit
c64316502008064c158fa40cc250665e461b0f2a ]
The SHA512 code we adopted from the OpenSSL project uses a rather
peculiar way to take the address of the round constant table: it
takes the address of the sha256_block_data_order() routine, and
substracts a constant known quantity to arrive at the base of the
table, which is emitted by the same assembler code right before
the routine's entry point.
However, recent versions of binutils have helpfully changed the
behavior of references emitted via an ADR instruction when running
in Thumb2 mode: it now takes the Thumb execution mode bit into
account, which is bit 0 af the address. This means the produced
table address also has bit 0 set, and so we end up with an address
value pointing 1 byte past the start of the table, which results
in crashes such as
Unable to handle kernel paging request at virtual address
bf825000
pgd =
42f44b11
[
bf825000] *pgd=
80000040206003, *pmd=
5f1bd003, *pte=
00000000
Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
LR is at __this_module+0x17fd/0xffffe800 [sha256_arm]
pc : [<
bf820bca>] lr : [<
bf824ffd>] psr:
800b0033
sp :
ebc8bbe8 ip :
faaabe1c fp :
2fdd3433
r10:
4c5f1692 r9 :
e43037df r8 :
b04b0a5a
r7 :
c369d722 r6 :
39c3693e r5 :
7a013189 r4 :
1580d26b
r3 :
8762a9b0 r2 :
eea9c2cd r1 :
3e9ab536 r0 :
1dea4ae7
Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
Control:
70c5383d Table:
6b8467c0 DAC:
dbadc0de
Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
Stack: (0xebc8bbe8 to 0xebc8c000)
...
unwind: Unknown symbol address
bf820bca
unwind: Index not found
bf820bca
Code: 441a ea80 40f9 440a (f85e) 3b04
---[ end trace
e560cce92700ef8a ]---
Given that this affects older kernels as well, in case they are built
with a recent toolchain, apply a minimal backportable fix, which is
to emit another non-code label at the start of the routine, and
reference that instead. (This is similar to the current upstream state
of this file in OpenSSL)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ard Biesheuvel [Sat, 16 Feb 2019 13:51:25 +0000 (14:51 +0100)]
crypto: sha256/arm - fix crash bug in Thumb2 build
[ Upstream commit
69216a545cf81b2b32d01948f7039315abaf75a0 ]
The SHA256 code we adopted from the OpenSSL project uses a rather
peculiar way to take the address of the round constant table: it
takes the address of the sha256_block_data_order() routine, and
substracts a constant known quantity to arrive at the base of the
table, which is emitted by the same assembler code right before
the routine's entry point.
However, recent versions of binutils have helpfully changed the
behavior of references emitted via an ADR instruction when running
in Thumb2 mode: it now takes the Thumb execution mode bit into
account, which is bit 0 af the address. This means the produced
table address also has bit 0 set, and so we end up with an address
value pointing 1 byte past the start of the table, which results
in crashes such as
Unable to handle kernel paging request at virtual address
bf825000
pgd =
42f44b11
[
bf825000] *pgd=
80000040206003, *pmd=
5f1bd003, *pte=
00000000
Internal error: Oops: 207 [#1] PREEMPT SMP THUMB2
Modules linked in: sha256_arm(+) sha1_arm_ce sha1_arm ...
CPU: 7 PID: 396 Comm: cryptomgr_test Not tainted 5.0.0-rc6+ #144
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
PC is at sha256_block_data_order+0xaaa/0xb30 [sha256_arm]
LR is at __this_module+0x17fd/0xffffe800 [sha256_arm]
pc : [<
bf820bca>] lr : [<
bf824ffd>] psr:
800b0033
sp :
ebc8bbe8 ip :
faaabe1c fp :
2fdd3433
r10:
4c5f1692 r9 :
e43037df r8 :
b04b0a5a
r7 :
c369d722 r6 :
39c3693e r5 :
7a013189 r4 :
1580d26b
r3 :
8762a9b0 r2 :
eea9c2cd r1 :
3e9ab536 r0 :
1dea4ae7
Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
Control:
70c5383d Table:
6b8467c0 DAC:
dbadc0de
Process cryptomgr_test (pid: 396, stack limit = 0x69e1fe23)
Stack: (0xebc8bbe8 to 0xebc8c000)
...
unwind: Unknown symbol address
bf820bca
unwind: Index not found
bf820bca
Code: 441a ea80 40f9 440a (f85e) 3b04
---[ end trace
e560cce92700ef8a ]---
Given that this affects older kernels as well, in case they are built
with a recent toolchain, apply a minimal backportable fix, which is
to emit another non-code label at the start of the routine, and
reference that instead. (This is similar to the current upstream state
of this file in OpenSSL)
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Cong Wang [Thu, 31 Jan 2019 21:05:49 +0000 (13:05 -0800)]
xfrm: destroy xfrm_state synchronously on net exit path
[ Upstream commit
f75a2804da391571563c4b6b29e7797787332673 ]
xfrm_state_put() moves struct xfrm_state to the GC list
and schedules the GC work to clean it up. On net exit call
path, xfrm_state_flush() is called to clean up and
xfrm_flush_gc() is called to wait for the GC work to complete
before exit.
However, this doesn't work because one of the ->destructor(),
ipcomp_destroy(), schedules the same GC work again inside
the GC work. It is hard to wait for such a nested async
callback. This is also why syzbot still reports the following
warning:
WARNING: CPU: 1 PID: 33 at net/ipv6/xfrm6_tunnel.c:351 xfrm6_tunnel_net_exit+0x2cb/0x500 net/ipv6/xfrm6_tunnel.c:351
...
ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
In fact, it is perfectly fine to bypass GC and destroy xfrm_state
synchronously on net exit call path, because it is in process context
and doesn't need a work struct to do any blocking work.
This patch introduces xfrm_state_put_sync() which simply bypasses
GC, and lets its callers to decide whether to use this synchronous
version. On net exit path, xfrm_state_fini() and
xfrm6_tunnel_net_exit() use it. And, as ipcomp_destroy() itself is
blocking, it can use xfrm_state_put_sync() directly too.
Also rename xfrm_state_gc_destroy() to ___xfrm_state_destroy() to
reflect this change.
Fixes:
b48c05ab5d32 ("xfrm: Fix warning in xfrm6_tunnel_net_exit.")
Reported-and-tested-by: syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
shamir rabinovitch [Sun, 16 Dec 2018 07:01:08 +0000 (09:01 +0200)]
net/rds: fix warn in rds_message_alloc_sgs
[ Upstream commit
ea010070d0a7497253d5a6f919f6dd107450b31a ]
redundant copy_from_user in rds_sendmsg system call expose rds
to issue where rds_rdma_extra_size walk the rds iovec and and
calculate the number pf pages (sgs) it need to add to the tail of
rds message and later rds_cmsg_rdma_args copy the rds iovec again
and re calculate the same number and get different result causing
WARN_ON in rds_message_alloc_sgs.
fix this by doing the copy_from_user only once per rds_sendmsg
system call.
When issue occur the below dump is seen:
WARNING: CPU: 0 PID: 19789 at net/rds/message.c:316 rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 19789 Comm: syz-executor827 Not tainted 4.19.0-next-
20181030+ #101
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
panic+0x2ad/0x55c kernel/panic.c:188
__warn.cold.8+0x20/0x45 kernel/panic.c:540
report_bug+0x254/0x2d0 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
RIP: 0010:rds_message_alloc_sgs+0x10c/0x160 net/rds/message.c:316
Code: c0 74 04 3c 03 7e 6c 44 01 ab 78 01 00 00 e8 2b 9e 35 fa 4c 89 e0 48 83 c4 08 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 14 9e 35 fa <0f> 0b 31 ff 44 89 ee e8 18 9f 35 fa 45 85 ed 75 1b e8 fe 9d 35 fa
RSP: 0018:
ffff8801c51b7460 EFLAGS:
00010293
RAX:
ffff8801bc412080 RBX:
ffff8801d7bf4040 RCX:
ffffffff8749c9e6
RDX:
0000000000000000 RSI:
ffffffff8749ca5c RDI:
0000000000000004
RBP:
ffff8801c51b7490 R08:
ffff8801bc412080 R09:
ffffed003b5c5b67
R10:
ffffed003b5c5b67 R11:
ffff8801dae2db3b R12:
0000000000000000
R13:
000000000007165c R14:
000000000007165c R15:
0000000000000005
rds_cmsg_rdma_args+0x82d/0x1510 net/rds/rdma.c:623
rds_cmsg_send net/rds/send.c:971 [inline]
rds_sendmsg+0x19a2/0x3180 net/rds/send.c:1273
sock_sendmsg_nosec net/socket.c:622 [inline]
sock_sendmsg+0xd5/0x120 net/socket.c:632
___sys_sendmsg+0x7fd/0x930 net/socket.c:2117
__sys_sendmsg+0x11d/0x280 net/socket.c:2155
__do_sys_sendmsg net/socket.c:2164 [inline]
__se_sys_sendmsg net/socket.c:2162 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x44a859
Code: e8 dc e6 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b cb fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:
00007f1d4710ada8 EFLAGS:
00000297 ORIG_RAX:
000000000000002e
RAX:
ffffffffffffffda RBX:
00000000006dcc28 RCX:
000000000044a859
RDX:
0000000000000000 RSI:
0000000020001600 RDI:
0000000000000003
RBP:
00000000006dcc20 R08:
0000000000000000 R09:
0000000000000000
R10:
0000000000000000 R11:
0000000000000297 R12:
00000000006dcc2c
R13:
646e732f7665642f R14:
00007f1d4710b9c0 R15:
00000000006dcd2c
Kernel Offset: disabled
Rebooting in 86400 seconds..
Reported-by: syzbot+26de17458aeda9d305d8@syzkaller.appspotmail.com
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: shamir rabinovitch <shamir.rabinovitch@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Rafael J. Wysocki [Mon, 17 Dec 2018 11:21:55 +0000 (12:21 +0100)]
ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle
[ Upstream commit
f941d3e41da7f86bdb9dcc1977c2bcc6b89bfe47 ]
There are systems in which non-wakeup GPEs fire during the "noirq"
suspend stage of suspending devices and that effectively prevents the
system that tries to suspend to idle from entering any low-power
state at all. If the offending GPE fires regularly and often enough,
the system appears to be suspended, but in fact it is in a tight loop
over "noirq" suspend and "noirq" resume of devices all the time.
To prevent that from happening, disable all non-wakeup GPEs except
for the EC GPE for suspend-to-idle (the EC GPE is special, because
on some systems it has to be enabled for power button wakeup events
to be generated as expected).
Fixes:
147a7d9d25ca (ACPI / PM: Do not reconfigure GPEs for suspend-to-idle)
Link: https://bugzilla.kernel.org/show_bug.cgi?id=201987
Reported-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Tested-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ayman Bagabas [Wed, 12 Dec 2018 23:07:57 +0000 (18:07 -0500)]
ALSA: hda: fix front speakers on Huawei MBXP
[ Upstream commit
8ac51bbc4cfec4ef08b03bef24b31e2d50ef8b37 ]
This patch solves bug 200501 'Only 2 of 4 speakers playing sound.'
It enables the front speakers on Huawei Matebook X Pro laptops.
These laptops come with Dolby Atmos sound system and these pins
configuration enables the front speakers.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200501
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Reviewed-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Ayman Bagabas <ayman.bagabas@gmail.com>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Trigger Huang [Tue, 6 Nov 2018 11:37:58 +0000 (19:37 +0800)]
drm/ttm: Fix bo_global and mem_global kfree error
[ Upstream commit
30f33126feca0fe16df9e9302ffc28a953e2eb37 ]
ttm_bo_glob and ttm_mem_glob are defined as structure instance, while
not allocated by kzalloc, so kfree should not be invoked to release
them anymore. Otherwise, it will cause the following kernel BUG when
unloading amdgpu module
[ 48.419294] kernel BUG at /build/linux-5s7Xkn/linux-4.15.0/mm/slub.c:3894!
[ 48.419352] invalid opcode: 0000 [#1] SMP PTI
[ 48.419387] Modules linked in: amdgpu(OE-) amdchash(OE) amdttm(OE) amd_sched(OE) amdkcl(OE) amd_iommu_v2 drm_kms_helper drm i2c_algo_bit fb_sys_fops syscopyarea sysfillrect sysimgblt snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi pcbc snd_seq snd_seq_device snd_timer aesni_intel snd soundcore joydev aes_x86_64 crypto_simd glue_helper cryptd input_leds mac_hid serio_raw binfmt_misc nfsd auth_rpcgss nfs_acl lockd grace sunrpc sch_fq_codel parport_pc ppdev lp parport ip_tables x_tables autofs4 8139too psmouse i2c_piix4 8139cp mii floppy pata_acpi
[ 48.419782] CPU: 1 PID: 1281 Comm: modprobe Tainted: G OE 4.15.0-20-generic #21-Ubuntu
[ 48.419838] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 48.419901] RIP: 0010:kfree+0x137/0x180
[ 48.419934] RSP: 0018:
ffffb02101273bf8 EFLAGS:
00010246
[ 48.419974] RAX:
ffffeee1418ad7e0 RBX:
ffffffffc075f100 RCX:
ffff8fed7fca7ed0
[ 48.420025] RDX:
0000000000000000 RSI:
000000000003440e RDI:
0000000022400000
[ 48.420073] RBP:
ffffb02101273c10 R08:
0000000000000010 R09:
ffff8fed7ffd3680
[ 48.420121] R10:
ffffeee1418ad7c0 R11:
ffff8fed7ffd3000 R12:
ffffffffc075e2c0
[ 48.420169] R13:
ffffffffc074ec10 R14:
ffff8fed73063900 R15:
ffff8fed737428e8
[ 48.420216] FS:
00007fdc912ec540(0000) GS:
ffff8fed7fc80000(0000) knlGS:
0000000000000000
[ 48.420267] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 48.420308] CR2:
000055fa40c30060 CR3:
000000023470a006 CR4:
00000000003606e0
[ 48.420358] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 48.420405] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 48.420452] Call Trace:
[ 48.420485] ttm_bo_global_kobj_release+0x20/0x30 [amdttm]
[ 48.420528] kobject_release+0x6a/0x180
[ 48.420562] kobject_put+0x28/0x50
[ 48.420595] ttm_bo_global_release+0x36/0x50 [amdttm]
[ 48.420636] amdttm_bo_device_release+0x119/0x180 [amdttm]
[ 48.420678] ? amdttm_bo_clean_mm+0xa6/0xf0 [amdttm]
[ 48.420760] amdgpu_ttm_fini+0xc9/0x180 [amdgpu]
[ 48.420821] amdgpu_bo_fini+0x12/0x40 [amdgpu]
[ 48.420889] gmc_v9_0_sw_fini+0x40/0x50 [amdgpu]
[ 48.420947] amdgpu_device_fini+0x36f/0x4c0 [amdgpu]
[ 48.421007] amdgpu_driver_unload_kms+0xb4/0x150 [amdgpu]
[ 48.421058] drm_dev_unregister+0x46/0xf0 [drm]
[ 48.421102] drm_dev_unplug+0x12/0x70 [drm]
Signed-off-by: Trigger Huang <Trigger.Huang@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Hans de Goede [Sun, 14 Oct 2018 17:54:27 +0000 (19:54 +0200)]
platform/x86: Add Intel AtomISP2 dummy / power-management driver
[ Upstream commit
49ad712afa88c502831d37f7089d98eac441fb80 ]
The Image Signal Processor found on Cherry Trail devices is brought up in
D0 state on devices which have camera sensors attached to it. The ISP will
not enter D3 state again without some massaging of its registers beforehand
and the ISP not being in D3 state blocks the SoC from entering S0ix modes.
There was a driver for the ISP in drivers/staging but that got removed
again because it never worked. It does not seem likely that a real
driver for the ISP will be added to the mainline kernel anytime soon.
This commit adds a dummy driver which contains the necessary magic from
the staging driver to powerdown the ISP, so that Cherry Trail devices where
the ISP is used will properly use S0ix modes when suspended.
Together with other recent S0ix related fixes this allows S0ix modes to
be entered on e.g. a Chuwi Hi8 Pro and a HP x2 210.
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=196915
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Alan Cox <alan@linux.intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Vitaly Kuznetsov [Wed, 17 Oct 2018 11:23:55 +0000 (13:23 +0200)]
kernel: hung_task.c: disable on suspend
[ Upstream commit
a1c6ca3c6de763459a6e93b644ec6518c890ba1c ]
It is possible to observe hung_task complaints when system goes to
suspend-to-idle state:
# echo freeze > /sys/power/state
PM: Syncing filesystems ... done.
Freezing user space processes ... (elapsed 0.001 seconds) done.
OOM killer disabled.
Freezing remaining freezable tasks ... (elapsed 0.002 seconds) done.
sd 0:0:0:0: [sda] Synchronizing SCSI cache
INFO: task bash:1569 blocked for more than 120 seconds.
Not tainted 4.19.0-rc3_+ #687
"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
bash D 0 1569 604 0x00000000
Call Trace:
? __schedule+0x1fe/0x7e0
schedule+0x28/0x80
suspend_devices_and_enter+0x4ac/0x750
pm_suspend+0x2c0/0x310
Register a PM notifier to disable the detector on suspend and re-enable
back on wakeup.
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Steve French [Fri, 19 Oct 2018 06:58:22 +0000 (01:58 -0500)]
cifs: fallback to older infolevels on findfirst queryinfo retry
[ Upstream commit
3b7960caceafdfc2cdfe2850487f8d091eb41144 ]
In cases where queryinfo fails, we have cases in cifs (vers=1.0)
where with backupuid mounts we retry the query info with findfirst.
This doesn't work to some NetApp servers which don't support
WindowsXP (and later) infolevel 261 (SMB_FIND_FILE_ID_FULL_DIR_INFO)
so in this case use other info levels (in this case it will usually
be level 257, SMB_FIND_FILE_DIRECTORY_INFO).
(Also fixes some indentation)
See kernel bugzilla 201435
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Thor Thayer [Mon, 22 Oct 2018 22:22:26 +0000 (17:22 -0500)]
net: stmmac: Set OWN bit for jumbo frames
[ Upstream commit
487e2e22ab7968f2c0c82f37b5ca5883efd1a354 ]
Ping with Jumbo packet does not reply and get a watchdog timeout
[ 46.059616] ------------[ cut here ]------------
[ 46.064268] NETDEV WATCHDOG: eth0 (socfpga-dwmac): transmit queue 0 timed out
[ 46.071471] WARNING: CPU: 1 PID: 0 at net/sched/sch_generic.c:461 dev_watchdog+0x2cc/0x2d8
[ 46.079708] Modules linked in:
[ 46.082761] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.18.0-00115-gc262be665854-dirty #264
[ 46.091082] Hardware name: SoCFPGA Stratix 10 SoCDK (DT)
[ 46.096377] pstate:
20000005 (nzCv daif -PAN -UAO)
[ 46.101152] pc : dev_watchdog+0x2cc/0x2d8
[ 46.105149] lr : dev_watchdog+0x2cc/0x2d8
[ 46.109144] sp :
ffff00000800bd80
[ 46.112447] x29:
ffff00000800bd80 x28:
ffff80007a9b4940
[ 46.117744] x27:
00000000ffffffff x26:
ffff80007aa183b0
[ 46.123040] x25:
0000000000000001 x24:
0000000000000140
[ 46.128336] x23:
ffff80007aa1839c x22:
ffff80007aa17fb0
[ 46.133632] x21:
ffff80007aa18000 x20:
ffff0000091a7000
[ 46.138927] x19:
0000000000000000 x18:
ffffffffffffffff
[ 46.144223] x17:
0000000000000000 x16:
0000000000000000
[ 46.149519] x15:
ffff0000091a96c8 x14:
07740775076f0720
[ 46.154814] x13:
07640765076d0769 x12:
0774072007300720
[ 46.160110] x11:
0765077507650775 x10:
0771072007740769
[ 46.165406] x9 :
076d0773076e0761 x8 :
077207740720073a
[ 46.170702] x7 :
072907630761076d x6 :
ffff80007ff9a0c0
[ 46.175997] x5 :
ffff80007ff9a0c0 x4 :
0000000000000002
[ 46.181293] x3 :
0000000000000000 x2 :
ffff0000091ac180
[ 46.186589] x1 :
e6a742ebe628e800 x0 :
0000000000000000
[ 46.191885] Call trace:
[ 46.194326] dev_watchdog+0x2cc/0x2d8
[ 46.197980] call_timer_fn+0x20/0x78
[ 46.201544] expire_timers+0xa4/0xb0
[ 46.205108] run_timer_softirq+0xe4/0x198
[ 46.209107] __do_softirq+0x114/0x210
[ 46.212760] irq_exit+0xd0/0xd8
[ 46.215895] __handle_domain_irq+0x60/0xb0
[ 46.219977] gic_handle_irq+0x58/0xa8
[ 46.223628] el1_irq+0xb0/0x128
[ 46.226761] arch_cpu_idle+0x10/0x18
[ 46.230326] do_idle+0x1d4/0x288
[ 46.233544] cpu_startup_entry+0x24/0x28
[ 46.237457] secondary_start_kernel+0x17c/0x1c0
[ 46.241971] ---[ end trace
57048cd1372cd828 ]---
Inspection of queue showed Jumbo packets were not sent out.
The ring Jumbo packet function needs to set the OWN bit so
the packet is sent.
Signed-off-by: Thor Thayer <thor.thayer@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sheng Yong [Fri, 12 Oct 2018 10:49:26 +0000 (18:49 +0800)]
f2fs: cleanup dirty pages if recover failed
[ Upstream commit
26b5a079197c8cb6725565968b7fd3299bd1877b ]
During recover, we will try to create new dentries for inodes with
dentry_mark. But if the parent is missing (e.g. killed by fsck),
recover will break. But those recovered dirty pages are not cleanup.
This will hit f2fs_bug_on:
[ 53.519566] F2FS-fs (loop0): Found nat_bits in checkpoint
[ 53.539354] F2FS-fs (loop0): recover_inode: ino = 5, name = file, inline = 3
[ 53.539402] F2FS-fs (loop0): recover_dentry: ino = 5, name = file, dir = 0, err = -2
[ 53.545760] F2FS-fs (loop0): Cannot recover all fsync data errno=-2
[ 53.546105] F2FS-fs (loop0): access invalid blkaddr:
4294967295
[ 53.546171] WARNING: CPU: 1 PID: 1798 at fs/f2fs/checkpoint.c:163 f2fs_is_valid_blkaddr+0x26c/0x320
[ 53.546174] Modules linked in:
[ 53.546183] CPU: 1 PID: 1798 Comm: mount Not tainted 4.19.0-rc2+ #1
[ 53.546186] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 53.546191] RIP: 0010:f2fs_is_valid_blkaddr+0x26c/0x320
[ 53.546195] Code: 85 bb 00 00 00 48 89 df 88 44 24 07 e8 ad a8 db ff 48 8b 3b 44 89 e1 48 c7 c2 40 03 72 a9 48 c7 c6 e0 01 72 a9 e8 84 3c ff ff <0f> 0b 0f b6 44 24 07 e9 8a 00 00 00 48 8d bf 38 01 00 00 e8 7c a8
[ 53.546201] RSP: 0018:
ffff88006c067768 EFLAGS:
00010282
[ 53.546208] RAX:
0000000000000000 RBX:
ffff880068844200 RCX:
ffffffffa83e1a33
[ 53.546211] RDX:
0000000000000000 RSI:
0000000000000008 RDI:
ffff88006d51e590
[ 53.546215] RBP:
0000000000000005 R08:
ffffed000daa3cb3 R09:
ffffed000daa3cb3
[ 53.546218] R10:
0000000000000001 R11:
ffffed000daa3cb2 R12:
00000000ffffffff
[ 53.546221] R13:
ffff88006a1f8000 R14:
0000000000000200 R15:
0000000000000009
[ 53.546226] FS:
00007fb2f3646840(0000) GS:
ffff88006d500000(0000) knlGS:
0000000000000000
[ 53.546229] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 53.546234] CR2:
00007f0fd77f0008 CR3:
00000000687e6002 CR4:
00000000000206e0
[ 53.546237] DR0:
0000000000000000 DR1:
0000000000000000 DR2:
0000000000000000
[ 53.546240] DR3:
0000000000000000 DR6:
00000000fffe0ff0 DR7:
0000000000000400
[ 53.546242] Call Trace:
[ 53.546248] f2fs_submit_page_bio+0x95/0x740
[ 53.546253] read_node_page+0x161/0x1e0
[ 53.546271] ? truncate_node+0x650/0x650
[ 53.546283] ? add_to_page_cache_lru+0x12c/0x170
[ 53.546288] ? pagecache_get_page+0x262/0x2d0
[ 53.546292] __get_node_page+0x200/0x660
[ 53.546302] f2fs_update_inode_page+0x4a/0x160
[ 53.546306] f2fs_write_inode+0x86/0xb0
[ 53.546317] __writeback_single_inode+0x49c/0x620
[ 53.546322] writeback_single_inode+0xe4/0x1e0
[ 53.546326] sync_inode_metadata+0x93/0xd0
[ 53.546330] ? sync_inode+0x10/0x10
[ 53.546342] ? do_raw_spin_unlock+0xed/0x100
[ 53.546347] f2fs_sync_inode_meta+0xe0/0x130
[ 53.546351] f2fs_fill_super+0x287d/0x2d10
[ 53.546367] ? vsnprintf+0x742/0x7a0
[ 53.546372] ? f2fs_commit_super+0x180/0x180
[ 53.546379] ? up_write+0x20/0x40
[ 53.546385] ? set_blocksize+0x5f/0x140
[ 53.546391] ? f2fs_commit_super+0x180/0x180
[ 53.546402] mount_bdev+0x181/0x200
[ 53.546406] mount_fs+0x94/0x180
[ 53.546411] vfs_kern_mount+0x6c/0x1e0
[ 53.546415] do_mount+0xe5e/0x1510
[ 53.546420] ? fs_reclaim_release+0x9/0x30
[ 53.546424] ? copy_mount_string+0x20/0x20
[ 53.546428] ? fs_reclaim_acquire+0xd/0x30
[ 53.546435] ? __might_sleep+0x2c/0xc0
[ 53.546440] ? ___might_sleep+0x53/0x170
[ 53.546453] ? __might_fault+0x4c/0x60
[ 53.546468] ? _copy_from_user+0x95/0xa0
[ 53.546474] ? memdup_user+0x39/0x60
[ 53.546478] ksys_mount+0x88/0xb0
[ 53.546482] __x64_sys_mount+0x5d/0x70
[ 53.546495] do_syscall_64+0x65/0x130
[ 53.546503] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 53.547639] ---[ end trace
b804d1ea2fec893e ]---
So if recover fails, we need to drop all recovered data.
Signed-off-by: Sheng Yong <shengyong1@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Taehee Yoo [Mon, 1 Oct 2018 17:17:14 +0000 (02:17 +0900)]
netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine
[ Upstream commit
b7f1a16d29b2e28d3dcbb070511bd703e306281b ]
When device is unregistered, flowtable flush routine is called
by notifier_call(nf_tables_flowtable_event). and exit callback of
nftables pernet_operation(nf_tables_exit_net) also has flowtable flush
routine. but when network namespace is destroyed, both notifier_call
and pernet_operation are called. hence flowtable flush routine in
pernet_operation is unnecessary.
test commands:
%ip netns add vm1
%ip netns exec vm1 nft add table ip filter
%ip netns exec vm1 nft add flowtable ip filter w \
{ hook ingress priority 0\; devices = { lo }\; }
%ip netns del vm1
splat looks like:
[ 265.187019] WARNING: CPU: 0 PID: 87 at net/netfilter/core.c:309 nf_hook_entry_head+0xc7/0xf0
[ 265.187112] Modules linked in: nf_flow_table_ipv4 nf_flow_table nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 nf_tables nfnetlink ip_tables x_tables
[ 265.187390] CPU: 0 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc3+ #5
[ 265.187453] Workqueue: netns cleanup_net
[ 265.187514] RIP: 0010:nf_hook_entry_head+0xc7/0xf0
[ 265.187546] Code: 8d 81 68 03 00 00 5b c3 89 d0 83 fa 04 48 8d 84 c7 e8 11 00 00 76 81 0f 0b 31 c0 e9 78 ff ff ff 0f 0b 48 83 c4 08 31 c0 5b c3 <0f> 0b 31 c0 e9 65 ff ff ff 0f 0b 31 c0 e9 5c ff ff ff 48 89 0c 24
[ 265.187573] RSP: 0018:
ffff88011546f098 EFLAGS:
00010246
[ 265.187624] RAX:
ffffffff8d90e135 RBX:
1ffff10022a8de1c RCX:
0000000000000000
[ 265.187645] RDX:
0000000000000000 RSI:
0000000000000005 RDI:
ffff880116298040
[ 265.187645] RBP:
ffff88010ea4c1a8 R08:
0000000000000000 R09:
0000000000000000
[ 265.187645] R10:
ffff88011546f1d8 R11:
ffffed0022c532c1 R12:
ffff88010ea4c1d0
[ 265.187645] R13:
0000000000000005 R14:
dffffc0000000000 R15:
ffff88010ea4c1c4
[ 265.187645] FS:
0000000000000000(0000) GS:
ffff88011b200000(0000) knlGS:
0000000000000000
[ 265.187645] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 265.187645] CR2:
00007fdfb8d00000 CR3:
0000000057a16000 CR4:
00000000001006f0
[ 265.187645] Call Trace:
[ 265.187645] __nf_unregister_net_hook+0xca/0x5d0
[ 265.187645] ? nf_hook_entries_free.part.3+0x80/0x80
[ 265.187645] ? save_trace+0x300/0x300
[ 265.187645] nf_unregister_net_hooks+0x2e/0x40
[ 265.187645] nf_tables_exit_net+0x479/0x1340 [nf_tables]
[ 265.187645] ? find_held_lock+0x39/0x1c0
[ 265.187645] ? nf_tables_abort+0x30/0x30 [nf_tables]
[ 265.187645] ? inet_frag_destroy_rcu+0xd0/0xd0
[ 265.187645] ? trace_hardirqs_on+0x93/0x210
[ 265.187645] ? __bpf_trace_preemptirq_template+0x10/0x10
[ 265.187645] ? inet_frag_destroy_rcu+0xd0/0xd0
[ 265.187645] ? inet_frag_destroy_rcu+0xd0/0xd0
[ 265.187645] ? __mutex_unlock_slowpath+0x17f/0x740
[ 265.187645] ? wait_for_completion+0x710/0x710
[ 265.187645] ? bucket_table_free+0xb2/0x1f0
[ 265.187645] ? nested_table_free+0x130/0x130
[ 265.187645] ? __lock_is_held+0xb4/0x140
[ 265.187645] ops_exit_list.isra.10+0x94/0x140
[ 265.187645] cleanup_net+0x45b/0x900
[ ... ]
This WARNING means that hook unregisteration is failed because
all flowtables hooks are already unregistered by notifier_call.
Network namespace exit routine guarantees that all devices will be
unregistered first. then, other exit callbacks of pernet_operations
are called. so that removing flowtable flush routine in exit callback of
pernet_operation(nf_tables_exit_net) doesn't make flowtable leak.
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
ndesaulniers@google.com [Mon, 15 Oct 2018 17:22:21 +0000 (10:22 -0700)]
compiler.h: update definition of unreachable()
[ Upstream commit
fe0640eb30b7da261ae84d252ed9ed3c7e68dfd8 ]
Fixes the objtool warning seen with Clang:
arch/x86/mm/fault.o: warning: objtool: no_context()+0x220: unreachable
instruction
Fixes commit
815f0ddb346c ("include/linux/compiler*.h: make compiler-*.h
mutually exclusive")
Josh noted that the fallback definition was meant to work around a
pre-gcc-4.6 bug. GCC still needs to work around
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82365, so compiler-gcc.h
defines its own version of unreachable(). Clang and ICC can use this
shared definition.
Link: https://github.com/ClangBuiltLinux/linux/issues/204
Suggested-by: Andy Lutomirski <luto@amacapital.net>
Suggested-by: Josh Poimboeuf <jpoimboe@redhat.com>
Tested-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Sean Christopherson [Wed, 22 Aug 2018 21:57:07 +0000 (14:57 -0700)]
KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail
[ Upstream commit
bd18bffca35397214ae68d85cf7203aca25c3c1d ]
A VMEnter that VMFails (as opposed to VMExits) does not touch host
state beyond registers that are explicitly noted in the VMFail path,
e.g. EFLAGS. Host state does not need to be loaded because VMFail
is only signaled for consistency checks that occur before the CPU
starts to load guest state, i.e. there is no need to restore any
state as nothing has been modified. But in the case where a VMFail
is detected by hardware and not by KVM (due to deferring consistency
checks to hardware), KVM has already loaded some amount of guest
state. Luckily, "loaded" only means loaded to KVM's software model,
i.e. vmcs01 has not been modified. So, unwind our software model to
the pre-VMEntry host state.
Not restoring host state in this VMFail path leads to a variety of
failures because we end up with stale data in vcpu->arch, e.g. CR0,
CR4, EFER, etc... will all be out of sync relative to vmcs01. Any
significant delta in the stale data is all but guaranteed to crash
L1, e.g. emulation of SMEP, SMAP, UMIP, WP, etc... will be wrong.
An alternative to this "soft" reload would be to load host state from
vmcs12 as if we triggered a VMExit (as opposed to VMFail), but that is
wildly inconsistent with respect to the VMX architecture, e.g. an L1
VMM with separate VMExit and VMFail paths would explode.
Note that this approach does not mean KVM is 100% accurate with
respect to VMX hardware behavior, even at an architectural level
(the exact order of consistency checks is microarchitecture specific).
But 100% emulation accuracy isn't the goal (with this patch), rather
the goal is to be consistent in the information delivered to L1, e.g.
a VMExit should not fall-through VMENTER, and a VMFail should not jump
to HOST_RIP.
This technically reverts commit "
5af4157388ad (KVM: nVMX: Fix mmu
context after VMLAUNCH/VMRESUME failure)", but retains the core
aspects of that patch, just in an open coded form due to the need to
pull state from vmcs01 instead of vmcs12. Restoring host state
resolves a variety of issues introduced by commit "
4f350c6dbcb9
(kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)",
which remedied the incorrect behavior of treating VMFail like VMExit
but in doing so neglected to restore arch state that had been modified
prior to attempting nested VMEnter.
A sample failure that occurs due to stale vcpu.arch state is a fault
of some form while emulating an LGDT (due to emulated UMIP) from L1
after a failed VMEntry to L3, in this case when running the KVM unit
test test_tpr_threshold_values in L1. L0 also hits a WARN in this
case due to a stale arch.cr4.UMIP.
L1:
BUG: unable to handle kernel paging request at
ffffc90000663b9e
PGD
276512067 P4D
276512067 PUD
276513067 PMD
274efa067 PTE
8000000271de2163
Oops: 0009 [#1] SMP
CPU: 5 PID: 12495 Comm: qemu-system-x86 Tainted: G W 4.18.0-rc2+ #2
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
RIP: 0010:native_load_gdt+0x0/0x10
...
Call Trace:
load_fixmap_gdt+0x22/0x30
__vmx_load_host_state+0x10e/0x1c0 [kvm_intel]
vmx_switch_vmcs+0x2d/0x50 [kvm_intel]
nested_vmx_vmexit+0x222/0x9c0 [kvm_intel]
vmx_handle_exit+0x246/0x15a0 [kvm_intel]
kvm_arch_vcpu_ioctl_run+0x850/0x1830 [kvm]
kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
do_vfs_ioctl+0x9f/0x600
ksys_ioctl+0x66/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x4f/0x100
entry_SYSCALL_64_after_hwframe+0x44/0xa9
L0:
WARNING: CPU: 2 PID: 3529 at arch/x86/kvm/vmx.c:6618 handle_desc+0x28/0x30 [kvm_intel]
...
CPU: 2 PID: 3529 Comm: qemu-system-x86 Not tainted 4.17.2-coffee+ #76
Hardware name: Intel Corporation Kabylake Client platform/KBL S
RIP: 0010:handle_desc+0x28/0x30 [kvm_intel]
...
Call Trace:
kvm_arch_vcpu_ioctl_run+0x863/0x1840 [kvm]
kvm_vcpu_ioctl+0x3a1/0x5c0 [kvm]
do_vfs_ioctl+0x9f/0x5e0
ksys_ioctl+0x66/0x70
__x64_sys_ioctl+0x16/0x20
do_syscall_64+0x49/0xf0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes:
5af4157388ad (KVM: nVMX: Fix mmu context after VMLAUNCH/VMRESUME failure)
Fixes:
4f350c6dbcb9 (kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly)
Cc: Jim Mattson <jmattson@google.com>
Cc: Krish Sadhukhan <krish.sadhukhan@oracle.com>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Radim KrÄmář <rkrcmar@redhat.com>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Signed-off-by: Sean Christopherson <sean.j.christopherson@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kai-Heng Feng [Thu, 11 Oct 2018 07:56:33 +0000 (15:56 +0800)]
HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2
[ Upstream commit
ce9d58d3eafcb2d452a69bdcc1c5f8b8ff640de5 ]
Redragon Seymur 2 stops working since commit
190d7f02ce8e ("HID: input:
do not increment usages when a duplicate is found").
Use quirk HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE suggested by the commit
can solve the issue.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200995
BugLink: https://bugs.launchpad.net/bugs/1793846
Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ronald Tschalär [Mon, 1 Oct 2018 02:52:51 +0000 (19:52 -0700)]
ACPI / SBS: Fix GPE storm on recent MacBookPro's
[ Upstream commit
ca1721c5bee77105829cbd7baab8ee0eab85b06d ]
On Apple machines, plugging-in or unplugging the power triggers a GPE
for the EC. Since these machines expose an SBS device, this GPE ends
up triggering the acpi_sbs_callback(). This in turn tries to get the
status of the SBS charger. However, on MBP13,* and MBP14,* machines,
performing the smbus-read operation to get the charger's status triggers
the EC's GPE again. The result is an endless re-triggering and handling
of that GPE, consuming significant CPU resources (> 50% in irq).
In the end this is quite similar to commit
3031cddea633 (ACPI / SBS:
Don't assume the existence of an SBS charger), except that on the above
machines a status of all 1's is returned. And like there, we just want
ignore the charger here.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=198169
Signed-off-by: Ronald Tschalär <ronald@innovation.ch>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Maciej Żenczykowski [Thu, 20 Sep 2018 20:29:42 +0000 (13:29 -0700)]
usbip: fix vhci_hcd controller counting
[ Upstream commit
e0a2e73e501c77037c8756137e87b12c7c3c9793 ]
Without this usbip fails on a machine with devices
that lexicographically come after vhci_hcd.
ie.
$ ls -l /sys/devices/platform
...
drwxr-xr-x. 4 root root 0 Sep 19 16:21 serial8250
-rw-r--r--. 1 root root 4096 Sep 19 23:50 uevent
drwxr-xr-x. 6 root root 0 Sep 20 13:15 vhci_hcd.0
drwxr-xr-x. 4 root root 0 Sep 19 16:22 w83627hf.656
Because it detects 'w83627hf.656' as another vhci_hcd controller,
and then fails to be able to talk to it.
Note: this doesn't actually fix usbip's support for multiple
controllers... that's still broken for other reasons
("vhci_hcd.0" is hardcoded in a string macro), but is enough to
actually make it work on the above machine.
See also:
https://bugzilla.redhat.com/show_bug.cgi?id=1631148
Cc: Jonathan Dieter <jdieter@gmail.com>
Cc: Valentina Manea <valentina.manea.m@gmail.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: linux-usb@vger.kernel.org
Signed-off-by: Maciej Żenczykowski <zenczykowski@gmail.com>
Acked-by: Shuah Khan (Samsung OSG) <shuah@kernel.org>
Tested-by: Jonathan Dieter <jdieter@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Bartlomiej Zolnierkiewicz [Fri, 28 Sep 2018 13:32:46 +0000 (15:32 +0200)]
ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms
[ Upstream commit
6862fdf2201ab67cd962dbf0643d37db909f4860 ]
"S3C2410 PM Suspend Memory CRC" feature (controlled by
SAMSUNG_PM_CHECK config option) is incompatible with highmem
(uses phys_to_virt() instead of proper mapping) which is used by
the majority of Exynos boards. The issue manifests itself in OOPS
on affected boards, i.e. on Odroid-U3 I got the following one:
Unable to handle kernel paging request at virtual address
f0000000
pgd =
1c0f9bb4
[
f0000000] *pgd=
00000000
Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[<
c0458034>] (crc32_le) from [<
c0121f8c>] (s3c_pm_makecheck+0x34/0x54)
[<
c0121f8c>] (s3c_pm_makecheck) from [<
c0121efc>] (s3c_pm_run_res+0x74/0x8c)
[<
c0121efc>] (s3c_pm_run_res) from [<
c0121ecc>] (s3c_pm_run_res+0x44/0x8c)
[<
c0121ecc>] (s3c_pm_run_res) from [<
c01210b8>] (exynos_suspend_enter+0x64/0x148)
[<
c01210b8>] (exynos_suspend_enter) from [<
c018893c>] (suspend_devices_and_enter+0x9ec/0xe74)
[<
c018893c>] (suspend_devices_and_enter) from [<
c0189534>] (pm_suspend+0x770/0xc04)
[<
c0189534>] (pm_suspend) from [<
c0186ce8>] (state_store+0x6c/0xcc)
[<
c0186ce8>] (state_store) from [<
c09db434>] (kobj_attr_store+0x14/0x20)
[<
c09db434>] (kobj_attr_store) from [<
c02fa63c>] (sysfs_kf_write+0x4c/0x50)
[<
c02fa63c>] (sysfs_kf_write) from [<
c02f97a4>] (kernfs_fop_write+0xfc/0x1e4)
[<
c02f97a4>] (kernfs_fop_write) from [<
c027b198>] (__vfs_write+0x2c/0x140)
[<
c027b198>] (__vfs_write) from [<
c027b418>] (vfs_write+0xa4/0x160)
[<
c027b418>] (vfs_write) from [<
c027b5d8>] (ksys_write+0x40/0x8c)
[<
c027b5d8>] (ksys_write) from [<
c0101000>] (ret_fast_syscall+0x0/0x28)
Add PLAT_S3C24XX, ARCH_S3C64XX and ARCH_S5PV210 dependencies to
SAMSUNG_PM_CHECK config option to hide it on Exynos platforms.
Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Yanjiang Jin [Sat, 29 Sep 2018 09:06:55 +0000 (17:06 +0800)]
pinctrl: core: make sure strcmp() doesn't get a null parameter
[ Upstream commit
54a58185bfafb5af5045fb8388c45daa373f90f3 ]
Some drivers, for example, QCOM's qdf2xxx, set groups[gpio].name only
when gpio is valid, and leave invalid gpio names as null.
If we want to access the sys node "pinconf-groups",
pinctrl_get_group_selector() -> get_group_name() may return a null
pointer if group_selector is invalid, then the below Kernel panic
would happen since strcmp() uses this null pointer to do comparison.
Unable to handle kernel NULL pointer dereference at ss
00000000
el:Internal error: Oops: 9600000[ 143.080279]
SMP
CPU: 19 PID: 2493 Comm: read_all Tainted: G O
.aarch64 #1
Hardware name: HXT Semiconductor HXT REP-2 System
PC is at strcmp+0x18/0x154
LR is at pinctrl_get_group_selector+0x6c/0xe8
Process read_all (pid: 2493, stack limit =
Call trace:
Exception stack
strcmp+0x18/0x154
pin_config_group_get+0x64/0xd8
pinconf_generic_dump_one+0xd8/0x1c0
pinconf_generic_dump_pins+0x94/0xc8
pinconf_groups_show+0xb4/0x104
seq_read+0x178/0x464
full_proxy_read+0x6c/0xac
__vfs_read+0x58/0x178
vfs_read+0x94/0x164
SyS_read+0x60/0xc0
__sys_trace_return+0x0/0x4
--[ end trace]--
Kernel panic - not syncing: Fatal exception
Signed-off-by: Yanjiang Jin <yanjiang.jin@hxt-semitech.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Julian Sax [Wed, 19 Sep 2018 09:46:23 +0000 (11:46 +0200)]
HID: i2c-hid: override HID descriptors for certain devices
[ Upstream commit
9ee3e06610fdb8a601cde59c92089fb6c1deb4aa ]
A particular touchpad (SIPODEV SP1064) refuses to supply the HID
descriptors. This patch provides the framework for overriding these
descriptors based on DMI data. It also includes the descriptors for
said touchpad, which were extracted by listening to the traffic of the
windows filter driver, as well as the DMI data for the laptops known
to use this device.
Relevant Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1526312
Cc: Hans de Goede <hdegoede@redhat.com>
Reported-and-tested-by: ahormann@gmx.net
Reported-and-tested-by: Bruno Jesus <bruno.fl.jesus@gmail.com>
Reported-and-tested-by: Dietrich <enaut.w@googlemail.com>
Reported-and-tested-by: kloxdami@yahoo.com
Signed-off-by: Julian Sax <jsbc@gmx.de>
Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Matias Karhumaa [Fri, 28 Sep 2018 18:54:30 +0000 (21:54 +0300)]
Bluetooth: Fix debugfs NULL pointer dereference
[ Upstream commit
30d65e0804d58a03d1a8ea4e12c6fc07ed08218b ]
Fix crash caused by NULL pointer dereference when debugfs functions
le_max_key_read, le_max_key_size_write, le_min_key_size_read or
le_min_key_size_write and Bluetooth adapter was powered off.
Fix is to move max_key_size and min_key_size from smp_dev to hci_dev.
At the same time they were renamed to le_max_key_size and
le_min_key_size.
BUG: unable to handle kernel NULL pointer dereference at
00000000000002e8
PGD 0 P4D 0
Oops: 0000 [#24] SMP PTI
CPU: 2 PID: 6255 Comm: cat Tainted: G D OE 4.18.9-200.fc28.x86_64 #1
Hardware name: LENOVO 4286CTO/4286CTO, BIOS 8DET76WW (1.46 ) 06/21/2018
RIP: 0010:le_max_key_size_read+0x45/0xb0 [bluetooth]
Code: 00 00 00 48 83 ec 10 65 48 8b 04 25 28 00 00 00 48 89 44 24 08 31 c0 48 8b 87 c8 00 00 00 48 8d 7c 24 04 48 8b 80 48 0a 00 00 <48> 8b 80 e8 02 00 00 0f b6 48 52 e8 fb b6 b3 ed be 04 00 00 00 48
RSP: 0018:
ffffab23c3ff3df0 EFLAGS:
00010246
RAX:
0000000000000000 RBX:
00007f0b4ca2e000 RCX:
ffffab23c3ff3f08
RDX:
ffffffffc0ddb033 RSI:
0000000000000004 RDI:
ffffab23c3ff3df4
RBP:
0000000000020000 R08:
0000000000000000 R09:
0000000000000000
R10:
ffffab23c3ff3ed8 R11:
0000000000000000 R12:
ffffab23c3ff3f08
R13:
00007f0b4ca2e000 R14:
0000000000020000 R15:
ffffab23c3ff3f08
FS:
00007f0b4ca0f540(0000) GS:
ffff91bd5e280000(0000) knlGS:
0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
CR2:
00000000000002e8 CR3:
00000000629fa006 CR4:
00000000000606e0
Call Trace:
full_proxy_read+0x53/0x80
__vfs_read+0x36/0x180
vfs_read+0x8a/0x140
ksys_read+0x4f/0xb0
do_syscall_64+0x5b/0x160
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Signed-off-by: Matias Karhumaa <matias.karhumaa@gmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Brad Love [Thu, 6 Sep 2018 21:07:48 +0000 (17:07 -0400)]
media: au0828: cannot kfree dev before usb disconnect
[ Upstream commit
4add7104919f9e94e0db03e234caeadbfcc02ea9 ]
If au0828_analog_register fails, the dev is kfree'd and then flow
jumps to done, which can call au0828_usb_disconnect. Since all USB
error codes are negative, au0828_usb_disconnect will be called. The
problem is au0828_usb_disconnect uses dev, if dev is NULL then there
is immediate oops encountered.
[ 7.454307] au0828: au0828_usb_probe() au0282_dev_register failed to register on V4L2
[ 7.454323] BUG: unable to handle kernel NULL pointer dereference at
0000000000000050
[ 7.454421] PGD 0 P4D 0
[ 7.454457] Oops: 0002 [#1] SMP PTI
[ 7.454500] CPU: 1 PID: 262 Comm: systemd-udevd Tainted: P O 4.18.3 #1
[ 7.454584] Hardware name: Google Panther/Panther, BIOS MattDevo 04/27/2015
[ 7.454670] RIP: 0010:_raw_spin_lock_irqsave+0x2c/0x50
[ 7.454725] Code: 44 00 00 55 48 89 e5 41 54 53 48 89 fb 9c 58 0f 1f 44 00 00 49 89 c4 fa 66 0f 1f 44 00 00 e8 db 23 1b ff 31 c0 ba 01 00 00 00 <f0> 0f b1 13 85 c0 75 08 4c 89 e0 5b 41 5c 5d c3 89 c6 48 89 df e8
[ 7.455004] RSP: 0018:
ffff9130f53ef988 EFLAGS:
00010046
[ 7.455063] RAX:
0000000000000000 RBX:
0000000000000050 RCX:
0000000000000000
[ 7.455139] RDX:
0000000000000001 RSI:
0000000000000003 RDI:
0000000000000050
[ 7.455216] RBP:
ffff9130f53ef998 R08:
0000000000000018 R09:
0000000000000090
[ 7.455292] R10:
ffffed4cc53cb000 R11:
ffffed4cc53cb108 R12:
0000000000000082
[ 7.455369] R13:
ffff9130cf2c6188 R14:
0000000000000000 R15:
0000000000000018
[ 7.455447] FS:
00007f2ff8514cc0(0000) GS:
ffff9130fcb00000(0000) knlGS:
0000000000000000
[ 7.455535] CS: 0010 DS: 0000 ES: 0000 CR0:
0000000080050033
[ 7.455597] CR2:
0000000000000050 CR3:
00000001753f0002 CR4:
00000000000606a0
[ 7.455675] Call Trace:
[ 7.455713] __wake_up_common_lock+0x65/0xc0
[ 7.455764] __wake_up+0x13/0x20
[ 7.455808] ir_lirc_unregister+0x57/0xe0 [rc_core]
[ 7.455865] rc_unregister_device+0xa0/0xc0 [rc_core]
[ 7.455935] au0828_rc_unregister+0x25/0x40 [au0828]
[ 7.455999] au0828_usb_disconnect+0x33/0x80 [au0828]
[ 7.456064] au0828_usb_probe.cold.16+0x8d/0x2aa [au0828]
[ 7.456130] usb_probe_interface+0xf1/0x300
[ 7.456184] driver_probe_device+0x2e3/0x460
[ 7.456235] __driver_attach+0xe4/0x110
[ 7.456282] ? driver_probe_device+0x460/0x460
[ 7.456335] bus_for_each_dev+0x74/0xb0
[ 7.456385] ? kmem_cache_alloc_trace+0x15d/0x1d0
[ 7.456441] driver_attach+0x1e/0x20
[ 7.456485] bus_add_driver+0x159/0x230
[ 7.456532] driver_register+0x70/0xc0
[ 7.456578] usb_register_driver+0x7f/0x140
[ 7.456626] ? 0xffffffffc0474000
[ 7.456674] au0828_init+0xbc/0x1000 [au0828]
[ 7.456725] do_one_initcall+0x4a/0x1c9
[ 7.456771] ? _cond_resched+0x19/0x30
[ 7.456817] ? kmem_cache_alloc_trace+0x15d/0x1d0
[ 7.456873] do_init_module+0x60/0x210
[ 7.456918] load_module+0x221b/0x2710
[ 7.456966] ? vfs_read+0xf5/0x120
[ 7.457010] __do_sys_finit_module+0xbd/0x120
[ 7.457061] ? __do_sys_finit_module+0xbd/0x120
[ 7.457115] __x64_sys_finit_module+0x1a/0x20
[ 7.457166] do_syscall_64+0x5b/0x110
[ 7.457210] entry_SYSCALL_64_after_hwframe+0x49/0xbe
Signed-off-by: Brad Love <brad@nextdimension.cc>
Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nathan Fontenot [Mon, 10 Sep 2018 14:57:00 +0000 (09:57 -0500)]
powerpc/pseries: Remove prrn_work workqueue
[ Upstream commit
cd24e457fd8b2d087d9236700c8d2957054598bf ]
When a PRRN event is received we are already running in a worker
thread. Instead of spawning off another worker thread on the prrn_work
workqueue to handle the PRRN event we can just call the PRRN handler
routine directly.
With this update we can also pass the scope variable for the PRRN
event directly to the handler instead of it being a global variable.
This patch fixes the following oops mnessage we are seeing in PRRN testing:
Oops: Bad kernel stack pointer, sig: 6 [#1]
SMP NR_CPUS=2048 NUMA pSeries
Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
Supported: Yes, External 54
CPU: 7 PID: 18967 Comm: kworker/u96:0 Tainted: G X 4.4.126-94.22-default #1
Workqueue: pseries hotplug workque pseries_hp_work_fn
task:
c000000775367790 ti:
c00000001ebd4000 task.ti:
c00000070d140000
NIP:
0000000000000000 LR:
000000001fb3d050 CTR:
0000000000000000
REGS:
c00000001ebd7d40 TRAP: 0700 Tainted: G X (4.4.126-94.22-default)
MSR:
8000000102081000 <41,VEC,ME5 CR:
28000002 XER:
20040018 4
CFAR:
000000001fb3d084 40 419 1 3
GPR00:
000000000000000040000000000010007 000000001ffff400 000000041fffe200
GPR04:
000000000000008050000000000000000 000000001fb15fa8 0000000500000500
GPR08:
000000000001f40040000000000000001 0000000000000000 000005:
5200040002
GPR12:
00000000000000005c000000007a05400 c0000000000e89f8 000000001ed9f668
GPR16:
000000001fbeff944000000001fbeff94 000000001fb545e4 0000006000000060
GPR20:
ffffffffffffffff4ffffffffffffffff 0000000000000000 0000000000000000
GPR24:
00000000000000005400000001fb3c000 0000000000000000 000000001fb1b040
GPR28:
000000001fb240004000000001fb440d8 0000000000000008 0000000000000000
NIP [
0000000000000000] 5 (null)
LR [
000000001fb3d050]
031fb3d050
Call Trace: 4
Instruction dump: 4 5:47 12 2
XXXXXXXX XXXXXXXX XXXXX4XX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXX5XX XXXXXXXX
60000000 60000000 60000000 60000000
---[ end trace
aa5627b04a7d9d6b ]--- 3NMI watchdog: BUG: soft lockup - CPU#27 stuck for 23s! [kworker/27:0:13903]
Modules linked in: nfsv3 nfs_acl rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc fscache binfmt_misc reiserfs vfat fat rpadlpar_io(X) rpaphp(X) tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag af_packet xfs libcrc32c dm_service_time ibmveth(X) ses enclosure scsi_transport_sas rtc_generic btrfs xor raid6_pq sd_mod ibmvscsi(X) scsi_transport_srp ipr(X) libata sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua scsi_mod autofs4
Supported: Yes, External
CPU: 27 PID: 13903 Comm: kworker/27:0 Tainted: G D X 4.4.126-94.22-default #1
Workqueue: events prrn_work_fn
task:
c000000747cfa390 ti:
c00000074712c000 task.ti:
c00000074712c000
NIP:
c0000000008002a8 LR:
c000000000090770 CTR:
000000000032e088
REGS:
c00000074712f7b0 TRAP: 0901 Tainted: G D X (4.4.126-94.22-default)
MSR:
8000000100009033 <SF,EE,ME,IR,DR,RI,LE> CR:
22482044 XER:
20040000
CFAR:
c0000000008002c4 SOFTE: 1
GPR00:
c000000000090770 c00000074712fa30 c000000000f09800 c000000000fa1928 6:02
GPR04:
c000000775f5e000 fffffffffffffffe 0000000000000001 c000000000f42db8
GPR08:
0000000000000001 0000000080000007 0000000000000000 0000000000000000
GPR12:
8006210083180000 c000000007a14400
NIP [
c0000000008002a8] _raw_spin_lock+0x68/0xd0
LR [
c000000000090770] mobility_rtas_call+0x50/0x100
Call Trace: 59 5
[
c00000074712fa60] [
c000000000090770] mobility_rtas_call+0x50/0x100
[
c00000074712faf0] [
c000000000090b08] pseries_devicetree_update+0xf8/0x530
[
c00000074712fc20] [
c000000000031ba4] prrn_work_fn+0x34/0x50
[
c00000074712fc40] [
c0000000000e0390] process_one_work+0x1a0/0x4e0
[
c00000074712fcd0] [
c0000000000e0870] worker_thread+0x1a0/0x6105:57 2
[
c00000074712fd80] [
c0000000000e8b18] kthread+0x128/0x150
[
c00000074712fe30] [
c0000000000096f8] ret_from_kernel_thread+0x5c/0x64
Instruction dump:
2c090000 40c20010 7d40192d 40c2fff0 7c2004ac 2fa90000 40de0018 5:540030 3
e8010010 ebe1fff8 7c0803a6 4e800020 <
7c210b78>
e92d0000 89290009 792affe3
Signed-off-by: John Allen <jallen@linux.ibm.com>
Signed-off-by: Haren Myneni <haren@us.ibm.com>
Signed-off-by: Nathan Fontenot <nfont@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Michal Simek [Mon, 3 Sep 2018 13:10:49 +0000 (15:10 +0200)]
serial: uartps: console_setup() can't be placed to init section
[ Upstream commit
4bb1ce2350a598502b23088b169e16b43d4bc639 ]
When console device is rebinded, console_setup() is called again.
But marking it as __init means that function will be clear after boot is
complete. If console device is binded again console_setup() is not found
and error "Unable to handle kernel paging request at virtual address"
is reported.
Signed-off-by: Michal Simek <michal.simek@xilinx.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Pablo Neira Ayuso [Tue, 4 Sep 2018 10:07:55 +0000 (12:07 +0200)]
netfilter: xt_cgroup: shrink size of v2 path
[ Upstream commit
0d704967f4a49cc2212350b3e4a8231f8b4283ed ]
cgroup v2 path field is PATH_MAX which is too large, this is placing too
much pressure on memory allocation for people with many rules doing
cgroup v1 classid matching, side effects of this are bug reports like:
https://bugzilla.kernel.org/show_bug.cgi?id=200639
This patch registers a new revision that shrinks the cgroup path to 512
bytes, which is the same approach we follow in similar extensions that
have a path field.
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Chao Yu [Thu, 6 Sep 2018 12:34:12 +0000 (20:34 +0800)]
f2fs: fix to do sanity check with current segment number
[ Upstream commit
042be0f849e5fc24116d0afecfaf926eed5cac63 ]
https://bugzilla.kernel.org/show_bug.cgi?id=200219
Reproduction way:
- mount image
- run poc code
- umount image
F2FS-fs (loop1): Bitmap was wrongly set, blk:15364
------------[ cut here ]------------
kernel BUG at /home/yuchao/git/devf2fs/segment.c:2061!
invalid opcode: 0000 [#1] PREEMPT SMP
CPU: 2 PID: 17686 Comm: umount Tainted: G W O 4.18.0-rc2+ #39
Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
EIP: update_sit_entry+0x459/0x4e0 [f2fs]
Code: e8 1c b5 fd ff 0f 0b 0f 0b 8b 45 e4 c7 44 24 08 9c 7a 6c f8 c7 44 24 04 bc 4a 6c f8 89 44 24 0c 8b 06 89 04 24 e8 f7 b4 fd ff <0f> 0b 8b 45 e4 0f b6 d2 89 54 24 10 c7 44 24 08 60 7a 6c f8 c7 44
EAX:
00000032 EBX:
000000f8 ECX:
00000002 EDX:
00000001
ESI:
d7177000 EDI:
f520fe68 EBP:
d6477c6c ESP:
d6477c34
DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS:
00010282
CR0:
80050033 CR2:
b7fbe000 CR3:
2a99b3c0 CR4:
000406f0
Call Trace:
f2fs_allocate_data_block+0x124/0x580 [f2fs]
do_write_page+0x78/0x150 [f2fs]
f2fs_do_write_node_page+0x25/0xa0 [f2fs]
__write_node_page+0x2bf/0x550 [f2fs]
f2fs_sync_node_pages+0x60e/0x6d0 [f2fs]
? sync_inode_metadata+0x2f/0x40
? f2fs_write_checkpoint+0x28f/0x7d0 [f2fs]
? up_write+0x1e/0x80
f2fs_write_checkpoint+0x2a9/0x7d0 [f2fs]
? mark_held_locks+0x5d/0x80
? _raw_spin_unlock_irq+0x27/0x50
kill_f2fs_super+0x68/0x90 [f2fs]
deactivate_locked_super+0x3d/0x70
deactivate_super+0x40/0x60
cleanup_mnt+0x39/0x70
__cleanup_mnt+0x10/0x20
task_work_run+0x81/0xa0
exit_to_usermode_loop+0x59/0xa7
do_fast_syscall_32+0x1f5/0x22c
entry_SYSENTER_32+0x53/0x86
EIP: 0xb7f95c51
Code: c1 1e f7 ff ff 89 e5 8b 55 08 85 d2 8b 81 64 cd ff ff 74 02 89 02 5d c3 8b 0c 24 c3 8b 1c 24 c3 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
EAX:
00000000 EBX:
0871ab90 ECX:
bfb2cd00 EDX:
00000000
ESI:
00000000 EDI:
0871ab90 EBP:
0871ab90 ESP:
bfb2cd7c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS:
00000246
Modules linked in: f2fs(O) crc32_generic bnep rfcomm bluetooth ecdh_generic snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq pcbc joydev aesni_intel snd_seq_device aes_i586 snd_timer crypto_simd snd cryptd soundcore mac_hid serio_raw video i2c_piix4 parport_pc ppdev lp parport hid_generic psmouse usbhid hid e1000 [last unloaded: f2fs]
---[ end trace
d423f83982cfcdc5 ]---
The reason is, different log headers using the same segment, once
one log's next block address is used by another log, it will cause
panic as above.
Main area: 24 segs, 24 secs 24 zones
- COLD data: 0, 0, 0
- WARM data: 1, 1, 1
- HOT data: 20, 20, 20
- Dir dnode: 22, 22, 22
- File dnode: 22, 22, 22
- Indir nodes: 21, 21, 21
So this patch adds sanity check to detect such condition to avoid
this issue.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Rohit kumar [Tue, 11 Sep 2018 09:29:21 +0000 (14:59 +0530)]
ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx()
[ Upstream commit
ae7d1247d8673ebfd686b17e759d4be391165368 ]
In functions snd_soc_get_volsw_sx() or snd_soc_put_volsw_sx(),
if the result of (min + max) is negative, then fls() returns
signed integer with value as 32. This leads to signed integer
overflow as complete operation is considered as signed integer.
UBSAN: Undefined behaviour in sound/soc/soc-ops.c:382:50
signed integer overflow:
-
2147483648 - 1 cannot be represented in type 'int'
Call trace:
[<
ffffff852f746fe4>] __dump_stack lib/dump_stack.c:15 [inline]
[<
ffffff852f746fe4>] dump_stack+0xec/0x158 lib/dump_stack.c:51
[<
ffffff852f7b5f3c>] ubsan_epilogue+0x18/0x50 lib/ubsan.c:164
[<
ffffff852f7b6840>] handle_overflow+0xf8/0x130 lib/ubsan.c:195
[<
ffffff852f7b68f0>] __ubsan_handle_sub_overflow+0x34/0x44 lib/ubsan.c:211
[<
ffffff85307971a0>] snd_soc_get_volsw_sx+0x1a8/0x1f8 sound/soc/soc-ops.c:382
Typecast the operation to unsigned int to fix the issue.
Signed-off-by: Rohit kumar <rohitkr@codeaurora.org>
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Dinu-Razvan Chis-Serban [Wed, 5 Sep 2018 07:44:12 +0000 (16:44 +0900)]
9p locks: add mount option for lock retry interval
[ Upstream commit
5e172f75e51e3de1b4274146d9b990f803cb5c2a ]
The default P9_LOCK_TIMEOUT can be too long for some users exporting
a local file system to a guest VM (30s), make this configurable at
mount time.
Link: http://lkml.kernel.org/r/1536295827-3181-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195727
Signed-off-by: Dinu-Razvan Chis-Serban <justcsdr@gmail.com>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Gertjan Halkes [Wed, 5 Sep 2018 06:41:29 +0000 (15:41 +0900)]
9p: do not trust pdu content for stat item size
[ Upstream commit
2803cf4379ed252894f046cb8812a48db35294e3 ]
v9fs_dir_readdir() could deadloop if a struct was sent with a size set
to -2
Link: http://lkml.kernel.org/r/1536134432-11997-1-git-send-email-asmadeus@codewreck.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=88021
Signed-off-by: Gertjan Halkes <gertjan@google.com>
Signed-off-by: Dominique Martinet <dominique.martinet@cea.fr>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Chao Yu [Mon, 3 Sep 2018 19:52:17 +0000 (03:52 +0800)]
f2fs: fix to avoid NULL pointer dereference on se->discard_map
[ Upstream commit
7d20c8abb2edcf962ca857d51f4d0f9cd4b19053 ]
https://bugzilla.kernel.org/show_bug.cgi?id=200951
These is a NULL pointer dereference issue reported in bugzilla:
Hi,
in the setup there is a SATA SSD connected to a SATA-to-USB bridge.
The disc is "Samsung SSD 850 PRO 256G" which supports TRIM.
There are four partitions:
sda1: FAT /boot
sda2: F2FS /
sda3: F2FS /home
sda4: F2FS
The bridge is ASMT1153e which uses the "uas" driver.
There is no TRIM pass-through, so, when mounting it reports:
mounting with "discard" option, but the device does not support discard
The USB host is USB3.0 and UASP capable. It is the one on RK3399.
Given this everything works fine, except there is no TRIM support.
In order to enable TRIM a new UDEV rule is added [1]:
/etc/udev/rules.d/10-sata-bridge-trim.rules:
ACTION=="add|change", ATTRS{idVendor}=="174c", ATTRS{idProduct}=="55aa", SUBSYSTEM=="scsi_disk", ATTR{provisioning_mode}="unmap"
After reboot any F2FS write hangs forever and dmesg reports:
Unable to handle kernel NULL pointer dereference
Also tested on a x86_64 system: works fine even with TRIM enabled.
same disc
same bridge
different usb host controller
different cpu architecture
not root filesystem
Regards,
Vicenç.
[1] Post #5 in https://bbs.archlinux.org/viewtopic.php?id=236280
Unable to handle kernel NULL pointer dereference at virtual address
000000000000003e
Mem abort info:
ESR = 0x96000004
Exception class = DABT (current EL), IL = 32 bits
SET = 0, FnV = 0
EA = 0, S1PTW = 0
Data abort info:
ISV = 0, ISS = 0x00000004
CM = 0, WnR = 0
user pgtable: 4k pages, 48-bit VAs, pgdp =
00000000626e3122
[
000000000000003e] pgd=
0000000000000000
Internal error: Oops:
96000004 [#1] SMP
Modules linked in: overlay snd_soc_hdmi_codec rc_cec dw_hdmi_i2s_audio dw_hdmi_cec snd_soc_simple_card snd_soc_simple_card_utils snd_soc_rockchip_i2s rockchip_rga snd_soc_rockchip_pcm rockchipdrm videobuf2_dma_sg v4l2_mem2mem rtc_rk808 videobuf2_memops analogix_dp videobuf2_v4l2 videobuf2_common dw_hdmi dw_wdt cec rc_core videodev drm_kms_helper media drm rockchip_thermal rockchip_saradc realtek drm_panel_orientation_quirks syscopyarea sysfillrect sysimgblt fb_sys_fops dwmac_rk stmmac_platform stmmac pwm_bl squashfs loop crypto_user gpio_keys hid_kensington
CPU: 5 PID: 957 Comm: nvim Not tainted 4.19.0-rc1-1-ARCH #1
Hardware name: Sapphire-RK3399 Board (DT)
pstate:
00000005 (nzcv daif -PAN -UAO)
pc : update_sit_entry+0x304/0x4b0
lr : update_sit_entry+0x108/0x4b0
sp :
ffff00000ca13bd0
x29:
ffff00000ca13bd0 x28:
000000000000003e
x27:
0000000000000020 x26:
0000000000080000
x25:
0000000000000048 x24:
ffff8000ebb85cf8
x23:
0000000000000253 x22:
00000000ffffffff
x21:
00000000000535f2 x20:
00000000ffffffdf
x19:
ffff8000eb9e6800 x18:
ffff8000eb9e6be8
x17:
0000000007ce6926 x16:
000000001c83ffa8
x15:
0000000000000000 x14:
ffff8000f602df90
x13:
0000000000000006 x12:
0000000000000040
x11:
0000000000000228 x10:
0000000000000000
x9 :
0000000000000000 x8 :
0000000000000000
x7 :
00000000000535f2 x6 :
ffff8000ebff3440
x5 :
ffff8000ebff3440 x4 :
ffff8000ebe3a6c8
x3 :
00000000ffffffff x2 :
0000000000000020
x1 :
0000000000000000 x0 :
ffff8000eb9e5800
Process nvim (pid: 957, stack limit = 0x0000000063a78320)
Call trace:
update_sit_entry+0x304/0x4b0
f2fs_invalidate_blocks+0x98/0x140
truncate_node+0x90/0x400
f2fs_remove_inode_page+0xe8/0x340
f2fs_evict_inode+0x2b0/0x408
evict+0xe0/0x1e0
iput+0x160/0x260
do_unlinkat+0x214/0x298
__arm64_sys_unlinkat+0x3c/0x68
el0_svc_handler+0x94/0x118
el0_svc+0x8/0xc
Code:
f9400800 b9488400 36080140 f9400f01 (
387c4820)
---[ end trace
a0f21a307118c477 ]---
The reason is it is possible to enable discard flag on block queue via
UDEV, but during mount, f2fs will initialize se->discard_map only if
this flag is set, once the flag is set after mount, f2fs may dereference
NULL pointer on se->discard_map.
So this patch does below changes to fix this issue:
- initialize and update se->discard_map all the time.
- don't clear DISCARD option if device has no QUEUE_FLAG_DISCARD flag
during mount.
- don't issue small discard on zoned block device.
- introduce some functions to enhance the readability.
Signed-off-by: Chao Yu <yuchao0@huawei.com>
Tested-by: Vicente Bergas <vicencb@gmail.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Siva Rebbagondla [Mon, 27 Aug 2018 11:35:15 +0000 (17:05 +0530)]
rsi: improve kernel thread handling to fix kernel panic
[ Upstream commit
4c62764d0fc21a34ffc44eec1210038c3a2e4473 ]
While running regressions, observed below kernel panic when sdio disconnect
called. This is because of, kthread_stop() is taking care of
wait_for_completion() by default. When wait_for_completion triggered
in kthread_stop and as it was done already, giving kernel panic.
Hence, removing redundant wait_for_completion() from rsi_kill_thread().
... skipping ...
BUG: unable to handle kernel NULL pointer dereference at (null)
IP: [<
ffffffff810a63df>] exit_creds+0x1f/0x50
PGD 0
Oops: 0002 [#1] SMP
CPU: 0 PID: 6502 Comm: rmmod Tainted: G OE 4.15.9-Generic #154-Ubuntu
Hardware name: Dell Inc. Edge Gateway 3003/ , BIOS 01.00.00 04/17/2017
Stack:
ffff88007392e600 ffff880075847dc0 ffffffff8108160a 0000000000000000
ffff88007392e600 ffff880075847de8 ffffffff810a484b ffff880076127000
ffff88003cd3a800 ffff880074f12a00 ffff880075847e28 ffffffffc09bed15
Call Trace:
[<
ffffffff8108160a>] __put_task_struct+0x5a/0x140
[<
ffffffff810a484b>] kthread_stop+0x10b/0x110
[<
ffffffffc09bed15>] rsi_disconnect+0x2f5/0x300 [ven_rsi_sdio]
[<
ffffffff81578bcb>] ? __pm_runtime_resume+0x5b/0x80
[<
ffffffff816f0918>] sdio_bus_remove+0x38/0x100
[<
ffffffff8156cc64>] __device_release_driver+0xa4/0x150
[<
ffffffff8156d7a5>] driver_detach+0xb5/0xc0
[<
ffffffff8156c6c5>] bus_remove_driver+0x55/0xd0
[<
ffffffff8156dfbc>] driver_unregister+0x2c/0x50
[<
ffffffff816f0b8a>] sdio_unregister_driver+0x1a/0x20
[<
ffffffffc09bf0f5>] rsi_module_exit+0x15/0x30 [ven_rsi_sdio]
[<
ffffffff8110cad8>] SyS_delete_module+0x1b8/0x210
[<
ffffffff81851dc8>] entry_SYSCALL_64_fastpath+0x1c/0xbb
Signed-off-by: Siva Rebbagondla <siva.rebbagondla@redpinesignals.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Robert Jarzmik [Sat, 25 Aug 2018 08:44:17 +0000 (10:44 +0200)]
gpio: pxa: handle corner case of unprobed device
[ Upstream commit
9ce3ebe973bf4073426f35f282c6b955ed802765 ]
In the corner case where the gpio driver probe fails, for whatever
reason, the suspend and resume handlers will still be called as they
have to be registered as syscore operations. This applies as well when
no probe was called while the driver has been built in the kernel.
Nicolas tracked this in :
https://bugzilla.kernel.org/show_bug.cgi?id=200905
Therefore, add a failsafe in these function, and test if a proper probe
succeeded and the driver is functional.
Signed-off-by: Robert Jarzmik <robert.jarzmik@free.fr>
Reported-by: Nicolas Chauvet <kwizart@gmail.com>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Thomas Zimmermann [Fri, 20 Jul 2018 11:27:43 +0000 (13:27 +0200)]
drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up
[ Upstream commit
abf7b30d7f61d981bfcca65d1e8331b27021b475 ]
In the Cirrus driver, the regular clean-up code also performs the clean-up
of a failed initialization. If the fbdev's framebuffer was not initialized,
the clean-up will fail within drm_framebuffer_unregister_private. Booting
with cirrus.bpp=16 triggers this bug.
The framebuffer is currently stored directly within struct cirrus_fbdev. To
fix the bug, we turn it into a pointer that is only set for initialized
framebuffers. The fbdev's clean-up code skips uninitialized framebuffers.
The memory for struct drm_framebuffer is allocated dynamically. This requires
additional error handling within cirrusfb_create. The framebuffer clean-up is
now performed by drm_framebuffer_put, which also frees the data strcuture's
memory.
Link: https://bugzilla.suse.com/show_bug.cgi?id=1101822
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: http://patchwork.freedesktop.org/patch/msgid/20180720112743.27159-1-tzimmermann@suse.de
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Darrick J. Wong [Sat, 23 Mar 2019 16:10:29 +0000 (12:10 -0400)]
ext4: prohibit fstrim in norecovery mode
[ Upstream commit
18915b5873f07e5030e6fb108a050fa7c71c59fb ]
The ext4 fstrim implementation uses the block bitmaps to find free space
that can be discarded. If we haven't replayed the journal, the bitmaps
will be stale and we absolutely *cannot* use stale metadata to zap the
underlying storage.
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kairui Song [Fri, 8 Mar 2019 03:05:08 +0000 (11:05 +0800)]
x86/gart: Exclude GART aperture from kcore
[ Upstream commit
ffc8599aa9763f39f6736a79da4d1575e7006f9a ]
On machines where the GART aperture is mapped over physical RAM,
/proc/kcore contains the GART aperture range. Accessing the GART range via
/proc/kcore results in a kernel crash.
vmcore used to have the same issue, until it was fixed with commit
2a3e83c6f96c ("x86/gart: Exclude GART aperture from vmcore")', leveraging
existing hook infrastructure in vmcore to let /proc/vmcore return zeroes
when attempting to read the aperture region, and so it won't read from the
actual memory.
Apply the same workaround for kcore. First implement the same hook
infrastructure for kcore, then reuse the hook functions introduced in the
previous vmcore fix. Just with some minor adjustment, rename some functions
for more general usage, and simplify the hook infrastructure a bit as there
is no module usage yet.
Suggested-by: Baoquan He <bhe@redhat.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Jiri Bohac <jbohac@suse.cz>
Acked-by: Baoquan He <bhe@redhat.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Alexey Dobriyan <adobriyan@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Omar Sandoval <osandov@fb.com>
Cc: Dave Young <dyoung@redhat.com>
Link: https://lkml.kernel.org/r/20190308030508.13548-1-kasong@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Steve French [Sun, 17 Mar 2019 20:58:38 +0000 (15:58 -0500)]
fix incorrect error code mapping for OBJECTID_NOT_FOUND
[ Upstream commit
85f9987b236cf46e06ffdb5c225cf1f3c0acb789 ]
It was mapped to EIO which can be confusing when user space
queries for an object GUID for an object for which the server
file system doesn't support (or hasn't saved one).
As Amir Goldstein suggested this is similar to ENOATTR
(equivalently ENODATA in Linux errno definitions) so
changing NT STATUS code mapping for OBJECTID_NOT_FOUND
to ENODATA.
Signed-off-by: Steve French <stfrench@microsoft.com>
CC: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Nathan Chancellor [Thu, 7 Mar 2019 21:27:56 +0000 (14:27 -0700)]
x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error
[ Upstream commit
e898e69d6b9475bf123f99b3c5d1a67bb7cb2361 ]
When building with -Wsometimes-uninitialized, Clang warns:
arch/x86/kernel/hw_breakpoint.c:355:2: warning: variable 'align' is used
uninitialized whenever switch default is taken
[-Wsometimes-uninitialized]
The default cannot be reached because arch_build_bp_info() initializes
hw->len to one of the specified cases. Nevertheless the warning is valid
and returning -EINVAL makes sure that this cannot be broken by future
modifications.
Suggested-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: clang-built-linux@googlegroups.com
Link: https://github.com/ClangBuiltLinux/linux/issues/392
Link: https://lkml.kernel.org/r/20190307212756.4648-1-natechancellor@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Lu Baolu [Wed, 20 Mar 2019 01:58:33 +0000 (09:58 +0800)]
iommu/vt-d: Check capability before disabling protected memory
[ Upstream commit
5bb71fc790a88d063507dc5d445ab8b14e845591 ]
The spec states in 10.4.16 that the Protected Memory Enable
Register should be treated as read-only for implementations
not supporting protected memory regions (PLMR and PHMR fields
reported as Clear in the Capability register).
Cc: Jacob Pan <jacob.jun.pan@linux.intel.com>
Cc: mark gross <mgross@intel.com>
Suggested-by: Ashok Raj <ashok.raj@intel.com>
Fixes:
f8bab73515ca5 ("intel-iommu: PMEN support")
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
YueHaibing [Thu, 28 Feb 2019 12:24:59 +0000 (20:24 +0800)]
drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure
[ Upstream commit
909e9c9c428376e2a43d178ed4b0a2d5ba9cb7d3 ]
pm_runtime_get_sync returns negative on failure.
Fixes:
eaeb9010bb4b ("drm/nouveau/debugfs: Wake up GPU before doing any reclocking")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Matthew Whitehead [Thu, 14 Mar 2019 20:46:00 +0000 (16:46 -0400)]
x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors
[ Upstream commit
18fb053f9b827bd98cfc64f2a35df8ab19745a1d ]
There are comments in processor-cyrix.h advising you to _not_ make calls
using the deprecated macros in this style:
setCx86_old(CX86_CCR4, getCx86_old(CX86_CCR4) | 0x80);
This is because it expands the macro into a non-functioning calling
sequence. The calling order must be:
outb(CX86_CCR2, 0x22);
inb(0x23);
From the comments:
* When using the old macros a line like
* setCx86(CX86_CCR2, getCx86(CX86_CCR2) | 0x88);
* gets expanded to:
* do {
* outb((CX86_CCR2), 0x22);
* outb((({
* outb((CX86_CCR2), 0x22);
* inb(0x23);
* }) | 0x88), 0x23);
* } while (0);
The new macros fix this problem, so use them instead. Tested on an
actual Geode processor.
Signed-off-by: Matthew Whitehead <tedheadster@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: luto@kernel.org
Link: https://lkml.kernel.org/r/1552596361-8967-2-git-send-email-tedheadster@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
Kangjie Lu [Thu, 14 Mar 2019 05:46:51 +0000 (00:46 -0500)]
x86/hyperv: Prevent potential NULL pointer dereference
[ Upstream commit
534c89c22e26b183d838294f0937ee092c82ad3a ]
The page allocation in hv_cpu_init() can fail, but the code does not
have a check for that.
Add a check and return -ENOMEM when the allocation fails.
[ tglx: Massaged changelog ]
Signed-off-by: Kangjie Lu <kjlu@umn.edu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Mukesh Ojha <mojha@codeaurora.org>
Acked-by: "K. Y. Srinivasan" <kys@microsoft.com>
Cc: pakki001@umn.edu
Cc: Haiyang Zhang <haiyangz@microsoft.com>
Cc: Stephen Hemminger <sthemmin@microsoft.com>
Cc: Sasha Levin <sashal@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: linux-hyperv@vger.kernel.org
Link: https://lkml.kernel.org/r/20190314054651.1315-1-kjlu@umn.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
Aditya Pakki [Tue, 19 Mar 2019 02:19:56 +0000 (21:19 -0500)]
x86/hpet: Prevent potential NULL pointer dereference
[ Upstream commit
2e84f116afca3719c9d0a1a78b47b48f75fd5724 ]
hpet_virt_address may be NULL when ioremap_nocache fail, but the code lacks
a check.
Add a check to prevent NULL pointer dereference.
Signed-off-by: Aditya Pakki <pakki001@umn.edu>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: kjlu@umn.edu
Cc: Borislav Petkov <bp@alien8.de>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Joe Perches <joe@perches.com>
Cc: Nicolai Stange <nstange@suse.de>
Cc: Roland Dreier <roland@purestorage.com>
Link: https://lkml.kernel.org/r/20190319021958.17275-1-pakki001@umn.edu
Signed-off-by: Sasha Levin <sashal@kernel.org>
Jianguo Chen [Wed, 20 Mar 2019 18:54:21 +0000 (18:54 +0000)]
irqchip/mbigen: Don't clear eventid when freeing an MSI
[ Upstream commit
fca269f201a8d9985c0a31fb60b15d4eb57cef80 ]
mbigen_write_msg clears eventid bits of a mbigen register
when free a interrupt, because msi_domain_deactivate memset
struct msg to zero. Then multiple mbigen pins with zero eventid
will report the same interrupt number.
The eventid clear call trace:
free_irq
__free_irq
irq_shutdown
irq_domain_deactivate_irq
__irq_domain_deactivate_irq
__irq_domain_deactivate_irq
msi_domain_deactivate
platform_msi_write_msg
mbigen_write_msg
Signed-off-by: Jianguo Chen <chenjianguo3@huawei.com>
[maz: massaged subject]
Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>