1. 26 Jul, 2019 40 commits
    • Stefano Brivio's avatar
      ipset: Fix memory accounting for hash types on resize · 3711cf11
      Stefano Brivio authored
      [ Upstream commit 11921796 ]
      
      If a fresh array block is allocated during resize, the current in-memory
      set size should be increased by the size of the block, not replaced by it.
      
      Before the fix, adding entries to a hash set type, leading to a table
      resize, caused an inconsistent memory size to be reported. This becomes
      more obvious when swapping sets with similar sizes:
      
        # cat hash_ip_size.sh
        #!/bin/sh
        FAIL_RETRIES=10
      
        tries=0
        while [ ${tries} -lt ${FAIL_RETRIES} ]; do
        	ipset create t1 hash:ip
        	for i in `seq 1 4345`; do
        		ipset add t1 1.2.$((i / 255)).$((i % 255))
        	done
        	t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
      
        	ipset create t2 hash:ip
        	for i in `seq 1 4360`; do
        		ipset add t2 1.2.$((i / 255)).$((i % 255))
        	done
        	t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
      
        	ipset swap t1 t2
        	t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
        	t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
      
        	ipset destroy t1
        	ipset destroy t2
        	tries=$((tries + 1))
      
        	if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then
        		echo "FAIL after ${tries} tries:"
        		echo "T1 size ${t1_init}, after swap ${t1_swap}"
        		echo "T2 size ${t2_init}, after swap ${t2_swap}"
        		exit 1
        	fi
        done
        echo "PASS"
        # echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control
        # ./hash_ip_size.sh
        [ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa
        [ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163)
        [ 2035.080353] Table destroy by resize 00000000fe6551fa
        FAIL after 4 tries:
        T1 size 9064, after swap 71128
        T2 size 71128, after swap 9064
      Reported-by: default avatarNOYB <JunkYardMail1@Frontier.com>
      Fixes: 9e41f26a ("netfilter: ipset: Count non-static extension memory for userspace")
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3711cf11
    • Robert Hancock's avatar
      net: sfp: add mutex to prevent concurrent state checks · b892e3cf
      Robert Hancock authored
      [ Upstream commit 2158e856 ]
      
      sfp_check_state can potentially be called by both a threaded IRQ handler
      and delayed work. If it is concurrently called, it could result in
      incorrect state management. Add a st_mutex to protect the state - this
      lock gets taken outside of code that checks and handle state changes, and
      the existing sm_mutex nests inside of it.
      Suggested-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarRobert Hancock <hancock@sedsystems.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b892e3cf
    • Borislav Petkov's avatar
      RAS/CEC: Fix pfn insertion · 5b27bd98
      Borislav Petkov authored
      [ Upstream commit 6d8e294b ]
      
      When inserting random PFNs for debugging the CEC through
      (debugfs)/ras/cec/pfn, depending on the return value of pfn_set(),
      multiple values get inserted per a single write.
      
      That is because simple_attr_write() interprets a retval of 0 as
      success and claims the whole input. However, pfn_set() returns the
      cec_add_elem() value, which, if > 0 and smaller than the whole input
      length, makes glibc continue issuing the write syscall until there's
      input left:
      
        pfn_set
        simple_attr_write
        debugfs_attr_write
        full_proxy_write
        vfs_write
        ksys_write
        do_syscall_64
        entry_SYSCALL_64_after_hwframe
      
      leading to those repeated calls.
      
      Return 0 to fix that.
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b27bd98
    • Julian Wiedmann's avatar
      s390/qdio: handle PENDING state for QEBSM devices · df2c88a7
      Julian Wiedmann authored
      [ Upstream commit 04310324 ]
      
      When a CQ-enabled device uses QEBSM for SBAL state inspection,
      get_buf_states() can return the PENDING state for an Output Queue.
      get_outbound_buffer_frontier() isn't prepared for this, and any PENDING
      buffer will permanently stall all further completion processing on this
      Queue.
      
      This isn't a concern for non-QEBSM devices, as get_buf_states() for such
      devices will manually turn PENDING buffers into EMPTY ones.
      
      Fixes: 104ea556 ("qdio: support asynchronous delivery of storage blocks")
      Signed-off-by: default avatarJulian Wiedmann <jwi@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      df2c88a7
    • Robert Hancock's avatar
      net: axienet: Fix race condition causing TX hang · 5b0c0598
      Robert Hancock authored
      [ Upstream commit 7de44285 ]
      
      It is possible that the interrupt handler fires and frees up space in
      the TX ring in between checking for sufficient TX ring space and
      stopping the TX queue in axienet_start_xmit. If this happens, the
      queue wake from the interrupt handler will occur before the queue is
      stopped, causing a lost wakeup and the adapter's transmit hanging.
      
      To avoid this, after stopping the queue, check again whether there is
      sufficient space in the TX ring. If so, wake up the queue again.
      Signed-off-by: default avatarRobert Hancock <hancock@sedsystems.ca>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b0c0598
    • Fabio Estevam's avatar
      net: fec: Do not use netdev messages too early · a32d4cf2
      Fabio Estevam authored
      [ Upstream commit a19a0582 ]
      
      When a valid MAC address is not found the current messages
      are shown:
      
      fec 2188000.ethernet (unnamed net_device) (uninitialized): Invalid MAC address: 00:00:00:00:00:00
      fec 2188000.ethernet (unnamed net_device) (uninitialized): Using random MAC address: aa:9f:25:eb:7e:aa
      
      Since the network device has not been registered at this point, it is better
      to use dev_err()/dev_info() instead, which will provide cleaner log
      messages like these:
      
      fec 2188000.ethernet: Invalid MAC address: 00:00:00:00:00:00
      fec 2188000.ethernet: Using random MAC address: aa:9f:25:eb:7e:aa
      
      Tested on a imx6dl-pico-pi board.
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a32d4cf2
    • Antoine Tenart's avatar
      crypto: inside-secure - do not rely on the hardware last bit for result descriptors · c9fd5afc
      Antoine Tenart authored
      [ Upstream commit 89332590 ]
      
      When performing a transformation the hardware is given result
      descriptors to save the result data. Those result descriptors are
      batched using a 'first' and a 'last' bit. There are cases were more
      descriptors than needed are given to the engine, leading to the engine
      only using some of them, and not setting the last bit on the last
      descriptor we gave. This causes issues were the driver and the hardware
      aren't in sync anymore about the number of result descriptors given (as
      the driver do not give a pool of descriptor to use for any
      transformation, but a pool of descriptors to use *per* transformation).
      
      This patch fixes it by attaching the number of given result descriptors
      to the requests, and by using this number instead of the 'last' bit
      found on the descriptors to process them.
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c9fd5afc
    • Biao Huang's avatar
      net: stmmac: modify default value of tx-frames · bfaada52
      Biao Huang authored
      [ Upstream commit d2facb4b ]
      
      the default value of tx-frames is 25, it's too late when
      passing tstamp to stack, then the ptp4l will fail:
      
      ptp4l -i eth0 -f gPTP.cfg -m
      ptp4l: selected /dev/ptp0 as PTP clock
      ptp4l: port 1: INITIALIZING to LISTENING on INITIALIZE
      ptp4l: port 0: INITIALIZING to LISTENING on INITIALIZE
      ptp4l: port 1: link up
      ptp4l: timed out while polling for tx timestamp
      ptp4l: increasing tx_timestamp_timeout may correct this issue,
             but it is likely caused by a driver bug
      ptp4l: port 1: send peer delay response failed
      ptp4l: port 1: LISTENING to FAULTY on FAULT_DETECTED (FT_UNSPECIFIED)
      
      ptp4l tests pass when changing the tx-frames from 25 to 1 with
      ethtool -C option.
      It should be fine to set tx-frames default value to 1, so ptp4l will pass
      by default.
      Signed-off-by: default avatarBiao Huang <biao.huang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bfaada52
    • Biao Huang's avatar
      net: stmmac: dwmac4: fix flow control issue · ef5f55ea
      Biao Huang authored
      [ Upstream commit ee326fd0 ]
      
      Current dwmac4_flow_ctrl will not clear
      GMAC_RX_FLOW_CTRL_RFE/GMAC_RX_FLOW_CTRL_RFE bits,
      so MAC hw will keep flow control on although expecting
      flow control off by ethtool. Add codes to fix it.
      
      Fixes: 477286b5 ("stmmac: add GMAC4 core support")
      Signed-off-by: default avatarBiao Huang <biao.huang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ef5f55ea
    • Jae Hyun Yoo's avatar
      media: aspeed: change irq to threaded irq · 467d4560
      Jae Hyun Yoo authored
      [ Upstream commit 12ae1c1b ]
      
      Differently from other Aspeed drivers, this driver calls clock
      control APIs in interrupt context. Since ECLK is coupled with a
      reset bit in clk-aspeed module, aspeed_clk_enable will make 10ms of
      busy waiting delay for triggering the reset and it will eventually
      disturb other drivers' interrupt handling. To fix this issue, this
      commit changes this driver's irq to threaded irq so that the delay
      can be happened in a thread context.
      Signed-off-by: default avatarJae Hyun Yoo <jae.hyun.yoo@linux.intel.com>
      Reviewed-by: default avatarEddie James <eajames@linux.ibm.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      467d4560
    • Jiri Olsa's avatar
      perf jvmti: Address gcc string overflow warning for strncpy() · 94140c6f
      Jiri Olsa authored
      [ Upstream commit 279ab04d ]
      
      We are getting false positive gcc warning when we compile with gcc9 (9.1.1):
      
           CC       jvmti/libjvmti.o
         In file included from /usr/include/string.h:494,
                          from jvmti/libjvmti.c:5:
         In function ‘strncpy’,
             inlined from ‘copy_class_filename.constprop’ at jvmti/libjvmti.c:166:3:
         /usr/include/bits/string_fortified.h:106:10: error: ‘__builtin_strncpy’ specified bound depends on the length of the source argument [-Werror=stringop-overflow=]
           106 |   return __builtin___strncpy_chk (__dest, __src, __len, __bos (__dest));
               |          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         jvmti/libjvmti.c: In function ‘copy_class_filename.constprop’:
         jvmti/libjvmti.c:165:26: note: length computed here
           165 |   size_t file_name_len = strlen(file_name);
               |                          ^~~~~~~~~~~~~~~~~
         cc1: all warnings being treated as errors
      
      As per Arnaldo's suggestion use strlcpy(), which does the same thing and keeps
      gcc silent.
      Suggested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Ben Gainey <ben.gainey@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Stephane Eranian <eranian@google.com>
      Link: http://lkml.kernel.org/r/20190531131321.GB1281@kravaSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      94140c6f
    • Fabio Estevam's avatar
      media: imx7-mipi-csis: Propagate the error if clock enabling fails · 5b41a2ed
      Fabio Estevam authored
      [ Upstream commit 2b393f91 ]
      
      Currently the return value from clk_bulk_prepare_enable() is checked,
      but it is not propagate it in the case of failure.
      
      Fix it and also move the error message to the caller of
      mipi_csis_clk_enable().
      Signed-off-by: default avatarFabio Estevam <festevam@gmail.com>
      Reviewed-by: default avatarRui Miguel Silva <rmfrfs@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      5b41a2ed
    • Miles Chen's avatar
      arm64: mm: make CONFIG_ZONE_DMA32 configurable · 37243454
      Miles Chen authored
      [ Upstream commit 0c1f14ed ]
      
      This change makes CONFIG_ZONE_DMA32 defuly y and allows users
      to overwrite it only when CONFIG_EXPERT=y.
      
      For the SoCs that do not need CONFIG_ZONE_DMA32, this is the
      first step to manage all available memory by a single
      zone(normal zone) to reduce the overhead of multiple zones.
      
      The change also fixes a build error when CONFIG_NUMA=y and
      CONFIG_ZONE_DMA32=n.
      
      arch/arm64/mm/init.c:195:17: error: use of undeclared identifier 'ZONE_DMA32'
                      max_zone_pfns[ZONE_DMA32] = PFN_DOWN(max_zone_dma_phys());
      
      Change since v1:
      1. only expose CONFIG_ZONE_DMA32 when CONFIG_EXPERT=y
      2. remove redundant IS_ENABLED(CONFIG_ZONE_DMA32)
      
      Cc: Robin Murphy <robin.murphy@arm.com>
      Signed-off-by: default avatarMiles Chen <miles.chen@mediatek.com>
      Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      37243454
    • Abhishek Goel's avatar
      cpupower : frequency-set -r option misses the last cpu in related cpu list · 6aed94de
      Abhishek Goel authored
      [ Upstream commit 04507c0a ]
      
      To set frequency on specific cpus using cpupower, following syntax can
      be used :
      cpupower -c #i frequency-set -f #f -r
      
      While setting frequency using cpupower frequency-set command, if we use
      '-r' option, it is expected to set frequency for all cpus related to
      cpu #i. But it is observed to be missing the last cpu in related cpu
      list. This patch fixes the problem.
      Signed-off-by: default avatarAbhishek Goel <huntbag@linux.vnet.ibm.com>
      Reviewed-by: default avatarThomas Renninger <trenn@suse.de>
      Signed-off-by: default avatarShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6aed94de
    • Weihang Li's avatar
      net: hns3: set ops to null when unregister ad_dev · 28a7d7a6
      Weihang Li authored
      [ Upstream commit 594a81b3 ]
      
      The hclge/hclgevf and hns3 module can be unloaded independently,
      when hclge/hclgevf unloaded firstly, the ops of ae_dev should
      be set to NULL, otherwise it will cause an use-after-free problem.
      
      Fixes: 38caee9d ("net: hns3: Add support of the HNAE3 framework")
      Signed-off-by: default avatarWeihang Li <liweihang@hisilicon.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      28a7d7a6
    • Weihang Li's avatar
      net: hns3: add a check to pointer in error_detected and slot_reset · bd87e2a1
      Weihang Li authored
      [ Upstream commit 661262bc ]
      
      If we add a VF without loading hclgevf.ko and then there is a RAS error
      occurs, PCIe AER will call error_detected and slot_reset of all functions,
      and will get a NULL pointer when we check ad_dev->ops->handle_hw_ras_error.
      This will cause a call trace and failures on handling of follow-up RAS
      errors.
      
      This patch check ae_dev and ad_dev->ops at first to solve above issues.
      Signed-off-by: default avatarWeihang Li <liweihang@hisilicon.com>
      Signed-off-by: default avatarPeng Li <lipeng321@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bd87e2a1
    • Kefeng Wang's avatar
      media: wl128x: Fix some error handling in fm_v4l2_init_video_device() · b46ef18c
      Kefeng Wang authored
      [ Upstream commit 69fbb3f4 ]
      
      X-Originating-IP: [10.175.113.25]
      X-CFilter-Loop: Reflected
      The fm_v4l2_init_video_device() forget to unregister v4l2/video device
      in the error path, it could lead to UAF issue, eg,
      
        BUG: KASAN: use-after-free in atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
        BUG: KASAN: use-after-free in atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
        BUG: KASAN: use-after-free in __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
        Read of size 8 at addr ffff8881e84a7c70 by task v4l_id/3659
      
        CPU: 1 PID: 3659 Comm: v4l_id Not tainted 5.1.0 #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:77 [inline]
         dump_stack+0xa9/0x10e lib/dump_stack.c:113
         print_address_description+0x65/0x270 mm/kasan/report.c:187
         kasan_report+0x149/0x18d mm/kasan/report.c:317
         atomic64_read include/asm-generic/atomic-instrumented.h:836 [inline]
         atomic_long_read include/asm-generic/atomic-long.h:28 [inline]
         __mutex_unlock_slowpath+0x92/0x690 kernel/locking/mutex.c:1206
         fm_v4l2_fops_open+0xac/0x120 [fm_drv]
         v4l2_open+0x191/0x390 [videodev]
         chrdev_open+0x20d/0x570 fs/char_dev.c:417
         do_dentry_open+0x700/0xf30 fs/open.c:777
         do_last fs/namei.c:3416 [inline]
         path_openat+0x7c4/0x2a90 fs/namei.c:3532
         do_filp_open+0x1a5/0x2b0 fs/namei.c:3563
         do_sys_open+0x302/0x490 fs/open.c:1069
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f8180c17c8e
        ...
        Allocated by task 3642:
         set_track mm/kasan/common.c:87 [inline]
         __kasan_kmalloc.constprop.3+0xa0/0xd0 mm/kasan/common.c:497
         fm_drv_init+0x13/0x1000 [fm_drv]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
        Freed by task 3642:
         set_track mm/kasan/common.c:87 [inline]
         __kasan_slab_free+0x130/0x180 mm/kasan/common.c:459
         slab_free_hook mm/slub.c:1429 [inline]
         slab_free_freelist_hook mm/slub.c:1456 [inline]
         slab_free mm/slub.c:3003 [inline]
         kfree+0xe1/0x270 mm/slub.c:3958
         fm_drv_init+0x1e6/0x1000 [fm_drv]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Add relevant unregister functions to fix it.
      
      Cc: Hans Verkuil <hans.verkuil@cisco.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b46ef18c
    • Imre Deak's avatar
      locking/lockdep: Fix merging of hlocks with non-zero references · 3e6d03e7
      Imre Deak authored
      [ Upstream commit d9349850 ]
      
      The sequence
      
      	static DEFINE_WW_CLASS(test_ww_class);
      
      	struct ww_acquire_ctx ww_ctx;
      	struct ww_mutex ww_lock_a;
      	struct ww_mutex ww_lock_b;
      	struct ww_mutex ww_lock_c;
      	struct mutex lock_c;
      
      	ww_acquire_init(&ww_ctx, &test_ww_class);
      
      	ww_mutex_init(&ww_lock_a, &test_ww_class);
      	ww_mutex_init(&ww_lock_b, &test_ww_class);
      	ww_mutex_init(&ww_lock_c, &test_ww_class);
      
      	mutex_init(&lock_c);
      
      	ww_mutex_lock(&ww_lock_a, &ww_ctx);
      
      	mutex_lock(&lock_c);
      
      	ww_mutex_lock(&ww_lock_b, &ww_ctx);
      	ww_mutex_lock(&ww_lock_c, &ww_ctx);
      
      	mutex_unlock(&lock_c);	(*)
      
      	ww_mutex_unlock(&ww_lock_c);
      	ww_mutex_unlock(&ww_lock_b);
      	ww_mutex_unlock(&ww_lock_a);
      
      	ww_acquire_fini(&ww_ctx); (**)
      
      will trigger the following error in __lock_release() when calling
      mutex_release() at **:
      
      	DEBUG_LOCKS_WARN_ON(depth <= 0)
      
      The problem is that the hlock merging happening at * updates the
      references for test_ww_class incorrectly to 3 whereas it should've
      updated it to 4 (representing all the instances for ww_ctx and
      ww_lock_[abc]).
      
      Fix this by updating the references during merging correctly taking into
      account that we can have non-zero references (both for the hlock that we
      merge into another hlock or for the hlock we are merging into).
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= <ville.syrjala@linux.intel.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Link: https://lkml.kernel.org/r/20190524201509.9199-2-imre.deak@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3e6d03e7
    • Imre Deak's avatar
      locking/lockdep: Fix OOO unlock when hlocks need merging · 90b05e4e
      Imre Deak authored
      [ Upstream commit 8c8889d8 ]
      
      The sequence
      
      	static DEFINE_WW_CLASS(test_ww_class);
      
      	struct ww_acquire_ctx ww_ctx;
      	struct ww_mutex ww_lock_a;
      	struct ww_mutex ww_lock_b;
      	struct mutex lock_c;
      	struct mutex lock_d;
      
      	ww_acquire_init(&ww_ctx, &test_ww_class);
      
      	ww_mutex_init(&ww_lock_a, &test_ww_class);
      	ww_mutex_init(&ww_lock_b, &test_ww_class);
      
      	mutex_init(&lock_c);
      
      	ww_mutex_lock(&ww_lock_a, &ww_ctx);
      
      	mutex_lock(&lock_c);
      
      	ww_mutex_lock(&ww_lock_b, &ww_ctx);
      
      	mutex_unlock(&lock_c);		(*)
      
      	ww_mutex_unlock(&ww_lock_b);
      	ww_mutex_unlock(&ww_lock_a);
      
      	ww_acquire_fini(&ww_ctx);
      
      triggers the following WARN in __lock_release() when doing the unlock at *:
      
      	DEBUG_LOCKS_WARN_ON(curr->lockdep_depth != depth - 1);
      
      The problem is that the WARN check doesn't take into account the merging
      of ww_lock_a and ww_lock_b which results in decreasing curr->lockdep_depth
      by 2 not only 1.
      
      Note that the following sequence doesn't trigger the WARN, since there
      won't be any hlock merging.
      
      	ww_acquire_init(&ww_ctx, &test_ww_class);
      
      	ww_mutex_init(&ww_lock_a, &test_ww_class);
      	ww_mutex_init(&ww_lock_b, &test_ww_class);
      
      	mutex_init(&lock_c);
      	mutex_init(&lock_d);
      
      	ww_mutex_lock(&ww_lock_a, &ww_ctx);
      
      	mutex_lock(&lock_c);
      	mutex_lock(&lock_d);
      
      	ww_mutex_lock(&ww_lock_b, &ww_ctx);
      
      	mutex_unlock(&lock_d);
      
      	ww_mutex_unlock(&ww_lock_b);
      	ww_mutex_unlock(&ww_lock_a);
      
      	mutex_unlock(&lock_c);
      
      	ww_acquire_fini(&ww_ctx);
      
      In general both of the above two sequences are valid and shouldn't
      trigger any lockdep warning.
      
      Fix this by taking the decrement due to the hlock merging into account
      during lock release and hlock class re-setting. Merging can't happen
      during lock downgrading since there won't be a new possibility to merge
      hlocks in that case, so add a WARN if merging still happens then.
      Signed-off-by: default avatarImre Deak <imre.deak@intel.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: ville.syrjala@linux.intel.com
      Link: https://lkml.kernel.org/r/20190524201509.9199-1-imre.deak@intel.comSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      90b05e4e
    • Sven Eckelmann's avatar
      batman-adv: Fix duplicated OGMs on NETDEV_UP · a2b46e78
      Sven Eckelmann authored
      [ Upstream commit 9e6b5648 ]
      
      The state of slave interfaces are handled differently depending on whether
      the interface is up or not. All active interfaces (IFF_UP) will transmit
      OGMs. But for B.A.T.M.A.N. IV, also non-active interfaces are scheduling
      (low TTL) OGMs on active interfaces. The code which setups and schedules
      the OGMs must therefore already be called when the interfaces gets added as
      slave interface and the transmit function must then check whether it has to
      send out the OGM or not on the specific slave interface.
      
      But the commit f0d97253 ("batman-adv: remove ogm_emit and ogm_schedule
      API calls") moved the setup code from the enable function to the activate
      function. The latter is called either when the added slave was already up
      when batadv_hardif_enable_interface processed the new interface or when a
      NETDEV_UP event was received for this slave interfac. As result, each
      NETDEV_UP would schedule a new OGM worker for the interface and thus OGMs
      would be send a lot more than expected.
      
      Fixes: f0d97253 ("batman-adv: remove ogm_emit and ogm_schedule API calls")
      Reported-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Tested-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
      Acked-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a2b46e78
    • David S. Miller's avatar
      tua6100: Avoid build warnings. · 6d4ed791
      David S. Miller authored
      [ Upstream commit 621ccc6c ]
      
      Rename _P to _P_VAL and _R to _R_VAL to avoid global
      namespace conflicts:
      
      drivers/media/dvb-frontends/tua6100.c: In function ‘tua6100_set_params’:
      drivers/media/dvb-frontends/tua6100.c:79: warning: "_P" redefined
       #define _P 32
      
      In file included from ./include/acpi/platform/aclinux.h:54,
                       from ./include/acpi/platform/acenv.h:152,
                       from ./include/acpi/acpi.h:22,
                       from ./include/linux/acpi.h:34,
                       from ./include/linux/i2c.h:17,
                       from drivers/media/dvb-frontends/tua6100.h:30,
                       from drivers/media/dvb-frontends/tua6100.c:32:
      ./include/linux/ctype.h:14: note: this is the location of the previous definition
       #define _P 0x10 /* punct */
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d4ed791
    • Christophe Leroy's avatar
      crypto: talitos - Align SEC1 accesses to 32 bits boundaries. · e96316e5
      Christophe Leroy authored
      [ Upstream commit c9cca703 ]
      
      The MPC885 reference manual states:
      
      SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but
      reads can occur on any byte boundary. Writing back a header read from a
      non-32-bit-word boundary will yield unpredictable results.
      
      In order to ensure that, cra_alignmask is set to 3 for SEC1.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 9c4a7965 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e96316e5
    • Christophe Leroy's avatar
      crypto: talitos - properly handle split ICV. · 01f8f49d
      Christophe Leroy authored
      [ Upstream commit eae55a58 ]
      
      The driver assumes that the ICV is as a single piece in the last
      element of the scatterlist. This assumption is wrong.
      
      This patch ensures that the ICV is properly handled regardless of
      the scatterlist layout.
      
      Fixes: 9c4a7965 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      01f8f49d
    • Ioana Ciornei's avatar
      net: phy: Check against net_device being NULL · 8db10b19
      Ioana Ciornei authored
      [ Upstream commit 82c76aca ]
      
      In general, we don't want MAC drivers calling phy_attach_direct with the
      net_device being NULL. Add checks against this in all the functions
      calling it: phy_attach() and phy_connect_direct().
      Signed-off-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Suggested-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8db10b19
    • Shailendra Verma's avatar
      media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails. · 8e53ed20
      Shailendra Verma authored
      [ Upstream commit 6995a659 ]
      
      Fix to avoid possible memory leak if the decoder initialization
      got failed.Free the allocated memory for file handle object
      before return in case decoder initialization fails.
      Signed-off-by: default avatarShailendra Verma <shailendra.v@samsung.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8e53ed20
    • Kefeng Wang's avatar
      media: saa7164: fix remove_proc_entry warning · 139f99f5
      Kefeng Wang authored
      [ Upstream commit 50710eee ]
      
      if saa7164_proc_create() fails, saa7164_fini() will trigger a warning,
      
      name 'saa7164'
      WARNING: CPU: 1 PID: 6311 at fs/proc/generic.c:672 remove_proc_entry+0x1e8/0x3a0
        ? remove_proc_entry+0x1e8/0x3a0
        ? try_stop_module+0x7b/0x240
        ? proc_readdir+0x70/0x70
        ? rcu_read_lock_sched_held+0xd7/0x100
        saa7164_fini+0x13/0x1f [saa7164]
        __x64_sys_delete_module+0x30c/0x480
        ? __ia32_sys_delete_module+0x480/0x480
        ? __x64_sys_clock_gettime+0x11e/0x1c0
        ? __x64_sys_timer_create+0x1a0/0x1a0
        ? trace_hardirqs_off_caller+0x40/0x180
        ? do_syscall_64+0x18/0x450
        do_syscall_64+0x9f/0x450
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fix it by checking the return of proc_create_single() before
      calling remove_proc_entry().
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      [hverkuil-cisco@xs4all.nl: use 0444 instead of S_IRUGO]
      [hverkuil-cisco@xs4all.nl: use pr_info instead of KERN_INFO]
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      139f99f5
    • Hans Verkuil's avatar
      media: mc-device.c: don't memset __user pointer contents · 7816f742
      Hans Verkuil authored
      [ Upstream commit 518fa4e0 ]
      
      You can't memset the contents of a __user pointer. Instead, call copy_to_user to
      copy links.reserved (which is zeroed) to the user memory.
      
      This fixes this sparse warning:
      
      SPARSE:drivers/media/mc/mc-device.c drivers/media/mc/mc-device.c:521:16:  warning: incorrect type in argument 1 (different address spaces)
      
      Fixes: f4930887 ("media: media_device_enum_links32: clean a reserved field")
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reviewed-by: default avatarSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7816f742
    • Arnaldo Carvalho de Melo's avatar
      perf annotate TUI browser: Do not use member from variable within its own initialization · 341b1fa4
      Arnaldo Carvalho de Melo authored
      [ Upstream commit da201963 ]
      
      Some compilers will complain when using a member of a struct to
      initialize another member, in the same struct initialization.
      
      For instance:
      
        debian:8      Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
        oraclelinux:7 clang version 3.4.2 (tags/RELEASE_34/dot2-final)
      
      Produce:
      
        ui/browsers/annotate.c:104:12: error: variable 'ops' is uninitialized when used within its own initialization [-Werror,-Wuninitialized]
                                                    (!ops.current_entry ||
                                                      ^~~
        1 error generated.
      
      So use an extra variable, initialized just before that struct, to have
      the value used in the expressions used to init two of the struct
      members.
      
      Cc: Adrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@kernel.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Fixes: c298304b ("perf annotate: Use a ops table for annotation_line__write()")
      Link: https://lkml.kernel.org/n/tip-f9nexro58q62l3o9hez8hr0i@git.kernel.orgSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      341b1fa4
    • Vandana BN's avatar
      media: usb:zr364xx:Fix KASAN:null-ptr-deref Read in zr364xx_vidioc_querycap · dbabee0c
      Vandana BN authored
      [ Upstream commit 5d2e73a5 ]
      
      SyzKaller hit the null pointer deref while reading from uninitialized
      udev->product in zr364xx_vidioc_querycap().
      
      ==================================================================
      BUG: KASAN: null-ptr-deref in read_word_at_a_time+0xe/0x20
      include/linux/compiler.h:274
      Read of size 1 at addr 0000000000000000 by task v4l_id/5287
      
      CPU: 1 PID: 5287 Comm: v4l_id Not tainted 5.1.0-rc3-319004-g43151d6 #6
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xe8/0x16e lib/dump_stack.c:113
        kasan_report.cold+0x5/0x3c mm/kasan/report.c:321
        read_word_at_a_time+0xe/0x20 include/linux/compiler.h:274
        strscpy+0x8a/0x280 lib/string.c:207
        zr364xx_vidioc_querycap+0xb5/0x210 drivers/media/usb/zr364xx/zr364xx.c:706
        v4l_querycap+0x12b/0x340 drivers/media/v4l2-core/v4l2-ioctl.c:1062
        __video_do_ioctl+0x5bb/0xb40 drivers/media/v4l2-core/v4l2-ioctl.c:2874
        video_usercopy+0x44e/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3056
        v4l2_ioctl+0x14e/0x1a0 drivers/media/v4l2-core/v4l2-dev.c:364
        vfs_ioctl fs/ioctl.c:46 [inline]
        file_ioctl fs/ioctl.c:509 [inline]
        do_vfs_ioctl+0xced/0x12f0 fs/ioctl.c:696
        ksys_ioctl+0xa0/0xc0 fs/ioctl.c:713
        __do_sys_ioctl fs/ioctl.c:720 [inline]
        __se_sys_ioctl fs/ioctl.c:718 [inline]
        __x64_sys_ioctl+0x74/0xb0 fs/ioctl.c:718
        do_syscall_64+0xcf/0x4f0 arch/x86/entry/common.c:290
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7f3b56d8b347
      Code: 90 90 90 48 8b 05 f1 fa 2a 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff
      ff c3 90 90 90 90 90 90 90 90 90 90 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff
      ff 73 01 c3 48 8b 0d c1 fa 2a 00 31 d2 48 29 c2 64
      RSP: 002b:00007ffe005d5d68 EFLAGS: 00000202 ORIG_RAX: 0000000000000010
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f3b56d8b347
      RDX: 00007ffe005d5d70 RSI: 0000000080685600 RDI: 0000000000000003
      RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000400884
      R13: 00007ffe005d5ec0 R14: 0000000000000000 R15: 0000000000000000
      ==================================================================
      
      For this device udev->product is not initialized and accessing it causes a NULL pointer deref.
      
      The fix is to check for NULL before strscpy() and copy empty string, if
      product is NULL
      
      Reported-by: syzbot+66010012fd4c531a1a96@syzkaller.appspotmail.com
      Signed-off-by: default avatarVandana BN <bnvandana@gmail.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dbabee0c
    • Eric Biggers's avatar
      fscrypt: clean up some BUG_ON()s in block encryption/decryption · 2bff4642
      Eric Biggers authored
      [ Upstream commit eeacfdc6 ]
      
      Replace some BUG_ON()s with WARN_ON_ONCE() and returning an error code,
      and move the check for len divisible by FS_CRYPTO_BLOCK_SIZE into
      fscrypt_crypt_block() so that it's done for both encryption and
      decryption, not just encryption.
      Reviewed-by: default avatarChandan Rajendra <chandan@linux.ibm.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2bff4642
    • sumitg's avatar
      media: v4l2-core: fix use-after-free error · bcf628be
      sumitg authored
      [ Upstream commit 3e0f7243 ]
      
      Fixing use-after-free within __v4l2_ctrl_handler_setup().
      Memory is being freed with kfree(new_ref) for duplicate
      control reference entry but ctrl->cluster pointer is still
      referring to freed duplicate entry resulting in error on
      access. Change done to update cluster pointer only when new
      control reference is added.
      
       ==================================================================
       BUG: KASAN: use-after-free in __v4l2_ctrl_handler_setup+0x388/0x428
       Read of size 8 at addr ffffffc324e78618 by task systemd-udevd/312
      
       Allocated by task 312:
      
       Freed by task 312:
      
       The buggy address belongs to the object at ffffffc324e78600
        which belongs to the cache kmalloc-64 of size 64
       The buggy address is located 24 bytes inside of
        64-byte region [ffffffc324e78600, ffffffc324e78640)
       The buggy address belongs to the page:
       page:ffffffbf0c939e00 count:1 mapcount:0 mapping:
      					(null) index:0xffffffc324e78f80
       flags: 0x4000000000000100(slab)
       raw: 4000000000000100 0000000000000000 ffffffc324e78f80 000000018020001a
       raw: 0000000000000000 0000000100000001 ffffffc37040fb80 0000000000000000
       page dumped because: kasan: bad access detected
      
       Memory state around the buggy address:
        ffffffc324e78500: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
        ffffffc324e78580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
       >ffffffc324e78600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                   ^
        ffffffc324e78680: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
        ffffffc324e78700: 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc
       ==================================================================
      Suggested-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarSumit Gupta <sumitg@nvidia.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      bcf628be
    • Kefeng Wang's avatar
      media: vim2m: fix two double-free issues · f2bbf167
      Kefeng Wang authored
      [ Upstream commit 20059cbb ]
      
      vim2m_device_release() will be called by video_unregister_device() to release
      various objects.
      
      There are two double-free issue,
      1. dev->m2m_dev will be freed twice in error_m2m path/vim2m_device_release
      2. the error_v4l2 and error_free path in vim2m_probe() will release
         same objects, since vim2m_device_release has done.
      
      Fixes: ea6c7e34 ("media: vim2m: replace devm_kzalloc by kzalloc")
      
      Cc: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarKefeng Wang <wangkefeng.wang@huawei.com>
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f2bbf167
    • Anirudh Gupta's avatar
      xfrm: Fix xfrm sel prefix length validation · 191e0df4
      Anirudh Gupta authored
      [ Upstream commit b38ff407 ]
      
      Family of src/dst can be different from family of selector src/dst.
      Use xfrm selector family to validate address prefix length,
      while verifying new sa from userspace.
      
      Validated patch with this command:
      ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
      reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
      0x1111016400000000000000000000000044440001 128 \
      sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
      
      Fixes: 07bf7908 ("xfrm: Validate address prefix lengths in the xfrm selector.")
      Signed-off-by: default avatarAnirudh Gupta <anirudh.gupta@sophos.com>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      191e0df4
    • Jeremy Sowden's avatar
      af_key: fix leaks in key_pol_get_resp and dump_sp. · ed83cefc
      Jeremy Sowden authored
      [ Upstream commit 7c80eb1c ]
      
      In both functions, if pfkey_xfrm_policy2msg failed we leaked the newly
      allocated sk_buff.  Free it on error.
      
      Fixes: 55569ce2 ("Fix conversion between IPSEC_MODE_xxx and XFRM_MODE_xxx.")
      Reported-by: syzbot+4f0529365f7f2208d9f0@syzkaller.appspotmail.com
      Signed-off-by: default avatarJeremy Sowden <jeremy@azazel.net>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ed83cefc
    • Eric W. Biederman's avatar
      signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig · a6ebedd0
      Eric W. Biederman authored
      [ Upstream commit f9070dc9 ]
      
      The locking in force_sig_info is not prepared to deal with a task that
      exits or execs (as sighand may change).  The is not a locking problem
      in force_sig as force_sig is only built to handle synchronous
      exceptions.
      
      Further the function force_sig_info changes the signal state if the
      signal is ignored, or blocked or if SIGNAL_UNKILLABLE will prevent the
      delivery of the signal.  The signal SIGKILL can not be ignored and can
      not be blocked and SIGNAL_UNKILLABLE won't prevent it from being
      delivered.
      
      So using force_sig rather than send_sig for SIGKILL is confusing
      and pointless.
      
      Because it won't impact the sending of the signal and and because
      using force_sig is wrong, replace force_sig with send_sig.
      
      Cc: Daniel Lezcano <daniel.lezcano@free.fr>
      Cc: Serge Hallyn <serge@hallyn.com>
      Cc: Oleg Nesterov <oleg@redhat.com>
      Fixes: cf3f8921 ("pidns: add reboot_pid_ns() to handle the reboot syscall")
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a6ebedd0
    • Michal Kalderon's avatar
      qed: Set the doorbell address correctly · 4cabf094
      Michal Kalderon authored
      [ Upstream commit 8366d520 ]
      
      In 100g mode the doorbell bar is united for both engines. Set
      the correct offset in the hwfn so that the doorbell returned
      for RoCE is in the affined hwfn.
      Signed-off-by: default avatarAriel Elior <ariel.elior@marvell.com>
      Signed-off-by: default avatarDenis Bolotin <denis.bolotin@marvell.com>
      Signed-off-by: default avatarMichal Kalderon <michal.kalderon@marvell.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4cabf094
    • Jian Shen's avatar
      net: hns3: initialize CPU reverse mapping · 4c5213f8
      Jian Shen authored
      [ Upstream commit ffab9691 ]
      
      Allocate CPU rmap and add entry for each irq. CPU rmap is
      used in aRFS to get the queue number of the rx completion
      interrupts.
      
      In additional, remove the calling of
      irq_set_affinity_notifier() in hns3_nic_init_irq(), because
      we have registered notifier in irq_cpu_rmap_add() for each
      vector, otherwise it may cause use-after-free issue.
      Signed-off-by: default avatarJian Shen <shenjian15@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4c5213f8
    • Jose Abreu's avatar
      net: stmmac: Prevent missing interrupts when running NAPI · e30df349
      Jose Abreu authored
      [ Upstream commit a976ca79 ]
      
      When we trigger NAPI we are disabling interrupts but in case we receive
      or send a packet in the meantime, as interrupts are disabled, we will
      miss this event.
      
      Trigger both NAPI instances (RX and TX) when at least one event happens
      so that we don't miss any interrupts.
      Signed-off-by: default avatarJose Abreu <joabreu@synopsys.com>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e30df349
    • Jose Abreu's avatar
      net: stmmac: dwmac4/5: Clear unused address entries · 3249b4fb
      Jose Abreu authored
      [ Upstream commit 0620ec6c ]
      
      In case we don't use a given address entry we need to clear it because
      it could contain previous values that are no longer valid.
      
      Found out while running stmmac selftests.
      Signed-off-by: default avatarJose Abreu <joabreu@synopsys.com>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3249b4fb
    • Jose Abreu's avatar
      net: stmmac: dwmac1000: Clear unused address entries · d91f9a55
      Jose Abreu authored
      [ Upstream commit 9463c445 ]
      
      In case we don't use a given address entry we need to clear it because
      it could contain previous values that are no longer valid.
      
      Found out while running stmmac selftests.
      Signed-off-by: default avatarJose Abreu <joabreu@synopsys.com>
      Cc: Joao Pinto <jpinto@synopsys.com>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Giuseppe Cavallaro <peppe.cavallaro@st.com>
      Cc: Alexandre Torgue <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d91f9a55