1. 13 Mar, 2019 40 commits
    • Max Filippov's avatar
      xtensa: SMP: limit number of possible CPUs by NR_CPUS · 4c2ceb15
      Max Filippov authored
      [ Upstream commit 25384ce5 ]
      
      This fixes the following warning at boot when the kernel is booted on a
      board with more CPU cores than was configured in NR_CPUS:
      
        smp_init_cpus: Core Count = 8
        smp_init_cpus: Core Id = 0
        ------------[ cut here ]------------
        WARNING: CPU: 0 PID: 0 at include/linux/cpumask.h:121 smp_init_cpus+0x54/0x74
        Modules linked in:
        CPU: 0 PID: 0 Comm: swapper Not tainted 5.0.0-rc3-00015-g1459333f88a0 #124
        Call Trace:
          __warn$part$3+0x6a/0x7c
          warn_slowpath_null+0x35/0x3c
          smp_init_cpus+0x54/0x74
          setup_arch+0x1c0/0x1d0
          start_kernel+0x44/0x310
          _startup+0x107/0x107
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4c2ceb15
    • Max Filippov's avatar
      xtensa: SMP: mark each possible CPU as present · c754598b
      Max Filippov authored
      [ Upstream commit 8b1c42cd ]
      
      Otherwise it is impossible to enable CPUs after booting with 'maxcpus'
      parameter.
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      c754598b
    • Max Filippov's avatar
      xtensa: smp_lx200_defconfig: fix vectors clash · 7b72724b
      Max Filippov authored
      [ Upstream commit 306b3830 ]
      
      Secondary CPU reset vector overlaps part of the double exception handler
      code, resulting in weird crashes and hangups when running user code.
      Move exception vectors one page up so that they don't clash with the
      secondary CPU reset vector.
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b72724b
    • Max Filippov's avatar
      xtensa: SMP: fix secondary CPU initialization · 19b7005b
      Max Filippov authored
      [ Upstream commit 32a7726c ]
      
      - add missing memory barriers to the secondary CPU synchronization spin
        loops; add comment to the matching memory barrier in the boot_secondary
        and __cpu_die functions;
      - use READ_ONCE/WRITE_ONCE to access cpu_start_id/cpu_start_ccount
        instead of reading/writing them directly;
      - re-initialize cpu_running every time before starting secondary CPU to
        flush possible previous CPU startup results.
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      19b7005b
    • Colin Ian King's avatar
      selftests: cpu-hotplug: fix case where CPUs offline > CPUs present · 33c6313f
      Colin Ian King authored
      [ Upstream commit 2b531b61 ]
      
      The cpu-hotplug test assumes that we can offline the maximum CPU as
      described by /sys/devices/system/cpu/offline.  However, in the case
      where the number of CPUs exceeds like kernel configuration then
      the offline count can be greater than the present count and we end
      up trying to test the offlining of a CPU that is not available to
      offline.  Fix this by testing the maximum present CPU instead.
      
      Also, the test currently offlines the CPU and does not online it,
      so fix this by onlining the CPU after the test.
      
      Fixes: d89dffa9 ("fault-injection: add selftests for cpu and memory hotplug")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarShuah Khan <shuah@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      33c6313f
    • Max Filippov's avatar
      xtensa: SMP: fix ccount_timer_shutdown · 51cbb781
      Max Filippov authored
      [ Upstream commit 4fe8713b ]
      
      ccount_timer_shutdown is called from the atomic context in the
      secondary_start_kernel, resulting in the following BUG:
      
      BUG: sleeping function called from invalid context
      in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1
      Preemption disabled at:
        secondary_start_kernel+0xa1/0x130
      Call Trace:
        ___might_sleep+0xe7/0xfc
        __might_sleep+0x41/0x44
        synchronize_irq+0x24/0x64
        disable_irq+0x11/0x14
        ccount_timer_shutdown+0x12/0x20
        clockevents_switch_state+0x82/0xb4
        clockevents_exchange_device+0x54/0x60
        tick_check_new_device+0x46/0x70
        clockevents_register_device+0x8c/0xc8
        clockevents_config_and_register+0x1d/0x2c
        local_timer_setup+0x75/0x7c
        secondary_start_kernel+0xb4/0x130
        should_never_return+0x32/0x35
      
      Use disable_irq_nosync instead of disable_irq to avoid it.
      This is safe because the ccount timer IRQ is per-CPU, and once IRQ is
      masked the ISR will not be called.
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      51cbb781
    • Suravee Suthikulpanit's avatar
      iommu/amd: Fix IOMMU page flush when detach device from a domain · ef41aa7e
      Suravee Suthikulpanit authored
      [ Upstream commit 9825bd94 ]
      
      When a VM is terminated, the VFIO driver detaches all pass-through
      devices from VFIO domain by clearing domain id and page table root
      pointer from each device table entry (DTE), and then invalidates
      the DTE. Then, the VFIO driver unmap pages and invalidate IOMMU pages.
      
      Currently, the IOMMU driver keeps track of which IOMMU and how many
      devices are attached to the domain. When invalidate IOMMU pages,
      the driver checks if the IOMMU is still attached to the domain before
      issuing the invalidate page command.
      
      However, since VFIO has already detached all devices from the domain,
      the subsequent INVALIDATE_IOMMU_PAGES commands are being skipped as
      there is no IOMMU attached to the domain. This results in data
      corruption and could cause the PCI device to end up in indeterministic
      state.
      
      Fix this by invalidate IOMMU pages when detach a device, and
      before decrementing the per-domain device reference counts.
      
      Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>
      Suggested-by: default avatarJoerg Roedel <joro@8bytes.org>
      Co-developed-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
      Signed-off-by: default avatarSuravee Suthikulpanit <suravee.suthikulpanit@amd.com>
      Fixes: 6de8ad9b ('x86/amd-iommu: Make iommu_flush_pages aware of multiple IOMMUs')
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ef41aa7e
    • ZhangXiaoxu's avatar
      ipvs: Fix signed integer overflow when setsockopt timeout · 34f02c1d
      ZhangXiaoxu authored
      [ Upstream commit 53ab60ba ]
      
      There is a UBSAN bug report as below:
      UBSAN: Undefined behaviour in net/netfilter/ipvs/ip_vs_ctl.c:2227:21
      signed integer overflow:
      -2147483647 * 1000 cannot be represented in type 'int'
      
      Reproduce program:
      	#include <stdio.h>
      	#include <sys/types.h>
      	#include <sys/socket.h>
      
      	#define IPPROTO_IP 0
      	#define IPPROTO_RAW 255
      
      	#define IP_VS_BASE_CTL		(64+1024+64)
      	#define IP_VS_SO_SET_TIMEOUT	(IP_VS_BASE_CTL+10)
      
      	/* The argument to IP_VS_SO_GET_TIMEOUT */
      	struct ipvs_timeout_t {
      		int tcp_timeout;
      		int tcp_fin_timeout;
      		int udp_timeout;
      	};
      
      	int main() {
      		int ret = -1;
      		int sockfd = -1;
      		struct ipvs_timeout_t to;
      
      		sockfd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
      		if (sockfd == -1) {
      			printf("socket init error\n");
      			return -1;
      		}
      
      		to.tcp_timeout = -2147483647;
      		to.tcp_fin_timeout = -2147483647;
      		to.udp_timeout = -2147483647;
      
      		ret = setsockopt(sockfd,
      				 IPPROTO_IP,
      				 IP_VS_SO_SET_TIMEOUT,
      				 (char *)(&to),
      				 sizeof(to));
      
      		printf("setsockopt return %d\n", ret);
      		return ret;
      	}
      
      Return -EINVAL if the timeout value is negative or max than 'INT_MAX / HZ'.
      Signed-off-by: default avatarZhangXiaoxu <zhangxiaoxu5@huawei.com>
      Acked-by: default avatarSimon Horman <horms@verge.net.au>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      34f02c1d
    • Jerry Snitselaar's avatar
      iommu/amd: Unmap all mapped pages in error path of map_sg · 878a9d34
      Jerry Snitselaar authored
      [ Upstream commit f1724c08 ]
      
      In the error path of map_sg there is an incorrect if condition
      for breaking out of the loop that searches the scatterlist
      for mapped pages to unmap. Instead of breaking out of the
      loop once all the pages that were mapped have been unmapped,
      it will break out of the loop after it has unmapped 1 page.
      Fix the condition, so it breaks out of the loop only after
      all the mapped pages have been unmapped.
      
      Fixes: 80187fd3 ("iommu/amd: Optimize map_sg and unmap_sg")
      Cc: Joerg Roedel <joro@8bytes.org>
      Signed-off-by: default avatarJerry Snitselaar <jsnitsel@redhat.com>
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      878a9d34
    • Jerry Snitselaar's avatar
      iommu/amd: Call free_iova_fast with pfn in map_sg · 1508187f
      Jerry Snitselaar authored
      [ Upstream commit 51d8838d ]
      
      In the error path of map_sg, free_iova_fast is being called with
      address instead of the pfn. This results in a bad value getting into
      the rcache, and can result in hitting a BUG_ON when
      iova_magazine_free_pfns is called.
      
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
      Signed-off-by: default avatarJerry Snitselaar <jsnitsel@redhat.com>
      Fixes: 80187fd3 ("iommu/amd: Optimize map_sg and unmap_sg")
      Signed-off-by: default avatarJoerg Roedel <jroedel@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1508187f
    • Brian Welty's avatar
      IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM · 3162d8af
      Brian Welty authored
      [ Upstream commit 904bba21 ]
      
      The work completion length for a receiving a UD send with immediate is
      short by 4 bytes causing application using this opcode to fail.
      
      The UD receive logic incorrectly subtracts 4 bytes for immediate
      value. These bytes are already included in header length and are used to
      calculate header/payload split, so the result is these 4 bytes are
      subtracted twice, once when the header length subtracted from the overall
      length and once again in the UD opcode specific path.
      
      Remove the extra subtraction when handling the opcode.
      
      Fixes: 77241056 ("IB/hfi1: add driver files")
      Reviewed-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: default avatarBrian Welty <brian.welty@intel.com>
      Signed-off-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3162d8af
    • Stephane Eranian's avatar
      perf tools: Handle TOPOLOGY headers with no CPU · 01b094e3
      Stephane Eranian authored
      [ Upstream commit 1497e804 ]
      
      This patch fixes an issue in cpumap.c when used with the TOPOLOGY
      header. In some configurations, some NUMA nodes may have no CPU (empty
      cpulist). Yet a cpumap map must be created otherwise perf abort with an
      error. This patch handles this case by creating a dummy map.
      
        Before:
      
        $ perf record -o - -e cycles noploop 2 | perf script -i -
        0x6e8 [0x6c]: failed to process type: 80
      
        After:
      
        $ perf record -o - -e cycles noploop 2 | perf script -i -
        noploop for 2 seconds
      Signed-off-by: default avatarStephane Eranian <eranian@google.com>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/1547885559-1657-1-git-send-email-eranian@google.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      01b094e3
    • Stephane Eranian's avatar
      perf core: Fix perf_proc_update_handler() bug · 482caab7
      Stephane Eranian authored
      [ Upstream commit 1a51c5da ]
      
      The perf_proc_update_handler() handles /proc/sys/kernel/perf_event_max_sample_rate
      syctl variable.  When the PMU IRQ handler timing monitoring is disabled, i.e,
      when /proc/sys/kernel/perf_cpu_time_max_percent is equal to 0 or 100,
      then no modification to sysctl_perf_event_sample_rate is allowed to prevent
      possible hang from wrong values.
      
      The problem is that the test to prevent modification is made after the
      sysctl variable is modified in perf_proc_update_handler().
      
      You get an error:
      
        $ echo 10001 >/proc/sys/kernel/perf_event_max_sample_rate
        echo: write error: invalid argument
      
      But the value is still modified causing all sorts of inconsistencies:
      
        $ cat /proc/sys/kernel/perf_event_max_sample_rate
        10001
      
      This patch fixes the problem by moving the parsing of the value after
      the test.
      
      Committer testing:
      
        # echo 100 > /proc/sys/kernel/perf_cpu_time_max_percent
        # echo 10001 > /proc/sys/kernel/perf_event_max_sample_rate
        -bash: echo: write error: Invalid argument
        # cat /proc/sys/kernel/perf_event_max_sample_rate
        10001
        #
      Signed-off-by: default avatarStephane Eranian <eranian@google.com>
      Reviewed-by: default avatarAndi Kleen <ak@linux.intel.com>
      Reviewed-by: default avatarJiri Olsa <jolsa@kernel.org>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Kan Liang <kan.liang@linux.intel.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lkml.kernel.org/r/1547169436-6266-1-git-send-email-eranian@google.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      482caab7
    • Su Yanjun's avatar
      vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel · 61a2e111
      Su Yanjun authored
      [ Upstream commit dd9ee344 ]
      
      Recently we run a network test over ipcomp virtual tunnel.We find that
      if a ipv4 packet needs fragment, then the peer can't receive
      it.
      
      We deep into the code and find that when packet need fragment the smaller
      fragment will be encapsulated by ipip not ipcomp. So when the ipip packet
      goes into xfrm, it's skb->dev is not properly set. The ipv4 reassembly code
      always set skb'dev to the last fragment's dev. After ipv4 defrag processing,
      when the kernel rp_filter parameter is set, the skb will be drop by -EXDEV
      error.
      
      This patch adds compatible support for the ipip process in ipcomp virtual tunnel.
      Signed-off-by: default avatarSu Yanjun <suyj.fnst@cn.fujitsu.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      61a2e111
    • Alistair Strachan's avatar
      media: uvcvideo: Fix 'type' check leading to overflow · aa4ba765
      Alistair Strachan authored
      commit 47bb1179 upstream.
      
      When initially testing the Camera Terminal Descriptor wTerminalType
      field (buffer[4]), no mask is used. Later in the function, the MSB is
      overloaded to store the descriptor subtype, and so a mask of 0x7fff
      is used to check the type.
      
      If a descriptor is specially crafted to set this overloaded bit in the
      original wTerminalType field, the initial type check will fail (falling
      through, without adjusting the buffer size), but the later type checks
      will pass, assuming the buffer has been made suitably large, causing an
      overflow.
      
      Avoid this problem by checking for the MSB in the wTerminalType field.
      If the bit is set, assume the descriptor is bad, and abort parsing it.
      
      Originally reported here:
      https://groups.google.com/forum/#!topic/syzkaller/Ot1fOE6v1d8
      A similar (non-compiling) patch was provided at that time.
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarAlistair Strachan <astrachan@google.com>
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aa4ba765
    • Martin Wilck's avatar
      scsi: core: reset host byte in DID_NEXUS_FAILURE case · 4d003353
      Martin Wilck authored
      commit 4a067cf8 upstream.
      
      Up to 4.12, __scsi_error_from_host_byte() would reset the host byte to
      DID_OK for various cases including DID_NEXUS_FAILURE.  Commit
      2a842aca ("block: introduce new block status code type") replaced this
      function with scsi_result_to_blk_status() and removed the host-byte
      resetting code for the DID_NEXUS_FAILURE case.  As the line
      set_host_byte(cmd, DID_OK) was preserved for the other cases, I suppose
      this was an editing mistake.
      
      The fact that the host byte remains set after 4.13 is causing problems with
      the sg_persist tool, which now returns success rather then exit status 24
      when a RESERVATION CONFLICT error is encountered.
      
      Fixes: 2a842aca "block: introduce new block status code type"
      Signed-off-by: default avatarMartin Wilck <mwilck@suse.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4d003353
    • YueHaibing's avatar
      exec: Fix mem leak in kernel_read_file · 069fb92e
      YueHaibing authored
      commit f612acfa upstream.
      
      syzkaller report this:
      BUG: memory leak
      unreferenced object 0xffffc9000488d000 (size 9195520):
        comm "syz-executor.0", pid 2752, jiffies 4294787496 (age 18.757s)
        hex dump (first 32 bytes):
          ff ff ff ff ff ff ff ff a8 00 00 00 01 00 00 00  ................
          02 00 00 00 00 00 00 00 80 a1 7a c1 ff ff ff ff  ..........z.....
        backtrace:
          [<000000000863775c>] __vmalloc_node mm/vmalloc.c:1795 [inline]
          [<000000000863775c>] __vmalloc_node_flags mm/vmalloc.c:1809 [inline]
          [<000000000863775c>] vmalloc+0x8c/0xb0 mm/vmalloc.c:1831
          [<000000003f668111>] kernel_read_file+0x58f/0x7d0 fs/exec.c:924
          [<000000002385813f>] kernel_read_file_from_fd+0x49/0x80 fs/exec.c:993
          [<0000000011953ff1>] __do_sys_finit_module+0x13b/0x2a0 kernel/module.c:3895
          [<000000006f58491f>] do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
          [<00000000ee78baf4>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
          [<00000000241f889b>] 0xffffffffffffffff
      
      It should goto 'out_free' lable to free allocated buf while kernel_read
      fails.
      
      Fixes: 39d637af ("vfs: forbid write access when reading a file into memory")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Thibaut Sautereau <thibaut@sautereau.fr>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      069fb92e
    • Matthias Kaehlcke's avatar
      Bluetooth: Fix locking in bt_accept_enqueue() for BH context · 82c73d48
      Matthias Kaehlcke authored
      commit c4f5627f upstream.
      
      With commit e1633762 ("Bluetooth: Handle bt_accept_enqueue() socket
      atomically") lock_sock[_nested]() is used to acquire the socket lock
      before manipulating the socket. lock_sock[_nested]() may block, which
      is problematic since bt_accept_enqueue() can be called in bottom half
      context (e.g. from rfcomm_connect_ind()):
      
      [<ffffff80080d81ec>] __might_sleep+0x4c/0x80
      [<ffffff800876c7b0>] lock_sock_nested+0x24/0x58
      [<ffffff8000d7c27c>] bt_accept_enqueue+0x48/0xd4 [bluetooth]
      [<ffffff8000e67d8c>] rfcomm_connect_ind+0x190/0x218 [rfcomm]
      
      Add a parameter to bt_accept_enqueue() to indicate whether the
      function is called from BH context, and acquire the socket lock
      with bh_lock_sock_nested() if that's the case.
      
      Also adapt all callers of bt_accept_enqueue() to pass the new
      parameter:
      
      - l2cap_sock_new_connection_cb()
        - uses lock_sock() to lock the parent socket => process context
      
      - rfcomm_connect_ind()
        - acquires the parent socket lock with bh_lock_sock() => BH
          context
      
      - __sco_chan_add()
        - called from sco_chan_add(), which is called from sco_connect().
          parent is NULL, hence bt_accept_enqueue() isn't called in this
          code path and we can ignore it
        - also called from sco_conn_ready(). uses bh_lock_sock() to acquire
          the parent lock => BH context
      
      Fixes: e1633762 ("Bluetooth: Handle bt_accept_enqueue() socket atomically")
      Signed-off-by: default avatarMatthias Kaehlcke <mka@chromium.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      82c73d48
    • Max Filippov's avatar
      xtensa: fix get_wchan · 1b0322eb
      Max Filippov authored
      commit d90b88fd upstream.
      
      Stack unwinding is implemented incorrectly in xtensa get_wchan: instead
      of extracting a0 and a1 registers from the spill location under the
      stack pointer it extracts a word pointed to by the stack pointer and
      subtracts 4 or 3 from it.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1b0322eb
    • Mike Kravetz's avatar
      hugetlbfs: fix races and page leaks during migration · af46f4c0
      Mike Kravetz authored
      commit cb6acd01 upstream.
      
      hugetlb pages should only be migrated if they are 'active'.  The
      routines set/clear_page_huge_active() modify the active state of hugetlb
      pages.
      
      When a new hugetlb page is allocated at fault time, set_page_huge_active
      is called before the page is locked.  Therefore, another thread could
      race and migrate the page while it is being added to page table by the
      fault code.  This race is somewhat hard to trigger, but can be seen by
      strategically adding udelay to simulate worst case scheduling behavior.
      Depending on 'how' the code races, various BUG()s could be triggered.
      
      To address this issue, simply delay the set_page_huge_active call until
      after the page is successfully added to the page table.
      
      Hugetlb pages can also be leaked at migration time if the pages are
      associated with a file in an explicitly mounted hugetlbfs filesystem.
      For example, consider a two node system with 4GB worth of huge pages
      available.  A program mmaps a 2G file in a hugetlbfs filesystem.  It
      then migrates the pages associated with the file from one node to
      another.  When the program exits, huge page counts are as follows:
      
        node0
        1024    free_hugepages
        1024    nr_hugepages
      
        node1
        0       free_hugepages
        1024    nr_hugepages
      
        Filesystem                         Size  Used Avail Use% Mounted on
        nodev                              4.0G  2.0G  2.0G  50% /var/opt/hugepool
      
      That is as expected.  2G of huge pages are taken from the free_hugepages
      counts, and 2G is the size of the file in the explicitly mounted
      filesystem.  If the file is then removed, the counts become:
      
        node0
        1024    free_hugepages
        1024    nr_hugepages
      
        node1
        1024    free_hugepages
        1024    nr_hugepages
      
        Filesystem                         Size  Used Avail Use% Mounted on
        nodev                              4.0G  2.0G  2.0G  50% /var/opt/hugepool
      
      Note that the filesystem still shows 2G of pages used, while there
      actually are no huge pages in use.  The only way to 'fix' the filesystem
      accounting is to unmount the filesystem
      
      If a hugetlb page is associated with an explicitly mounted filesystem,
      this information in contained in the page_private field.  At migration
      time, this information is not preserved.  To fix, simply transfer
      page_private from old to new page at migration time if necessary.
      
      There is a related race with removing a huge page from a file and
      migration.  When a huge page is removed from the pagecache, the
      page_mapping() field is cleared, yet page_private remains set until the
      page is actually freed by free_huge_page().  A page could be migrated
      while in this state.  However, since page_mapping() is not set the
      hugetlbfs specific routine to transfer page_private is not called and we
      leak the page count in the filesystem.
      
      To fix that, check for this condition before migrating a huge page.  If
      the condition is detected, return EBUSY for the page.
      
      Link: http://lkml.kernel.org/r/74510272-7319-7372-9ea6-ec914734c179@oracle.com
      Link: http://lkml.kernel.org/r/20190212221400.3512-1-mike.kravetz@oracle.com
      Fixes: bcc54222 ("mm: hugetlb: introduce page_huge_active")
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Reviewed-by: default avatarNaoya Horiguchi <n-horiguchi@ah.jp.nec.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: "Kirill A . Shutemov" <kirill.shutemov@linux.intel.com>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: <stable@vger.kernel.org>
      [mike.kravetz@oracle.com: v2]
        Link: http://lkml.kernel.org/r/7534d322-d782-8ac6-1c8d-a8dc380eb3ab@oracle.com
      [mike.kravetz@oracle.com: update comment and changelog]
        Link: http://lkml.kernel.org/r/420bcfd6-158b-38e4-98da-26d0cd85bd01@oracle.comSigned-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af46f4c0
    • Liu Xiang's avatar
      MIPS: irq: Allocate accurate order pages for irq stack · 442d1144
      Liu Xiang authored
      commit 72faa7a7 upstream.
      
      The irq_pages is the number of pages for irq stack, but not the
      order which is needed by __get_free_pages().
      We can use get_order() to calculate the accurate order.
      Signed-off-by: default avatarLiu Xiang <liu.xiang6@zte.com.cn>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Fixes: fe8bd18f ("MIPS: Introduce irq_stack")
      Cc: linux-mips@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.11+
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      442d1144
    • Gustavo A. R. Silva's avatar
      applicom: Fix potential Spectre v1 vulnerabilities · 5838a070
      Gustavo A. R. Silva authored
      commit d7ac3c6e upstream.
      
      IndexCard is indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/char/applicom.c:418 ac_write() warn: potential spectre issue 'apbs' [r]
      drivers/char/applicom.c:728 ac_ioctl() warn: potential spectre issue 'apbs' [r] (local cap)
      
      Fix this by sanitizing IndexCard before using it to index apbs.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://lore.kernel.org/lkml/20180423164740.GY17484@dhcp22.suse.cz/
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5838a070
    • Jiaxun Yang's avatar
      x86/CPU/AMD: Set the CPB bit unconditionally on F17h · 9e1176f2
      Jiaxun Yang authored
      commit 02371991 upstream.
      
      Some F17h models do not have CPB set in CPUID even though the CPU
      supports it. Set the feature bit unconditionally on all F17h.
      
       [ bp: Rewrite commit message and patch. ]
      Signed-off-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Sherry Hurwitz <sherry.hurwitz@amd.com>
      Cc: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: x86-ml <x86@kernel.org>
      Link: https://lkml.kernel.org/r/20181120030018.5185-1-jiaxun.yang@flygoat.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e1176f2
    • Andrew Lunn's avatar
      net: dsa: mv88e6xxx: Fix statistics on mv88e6161 · e7c4193e
      Andrew Lunn authored
      [ Upstream commit a6da21bb ]
      
      Despite what the datesheet says, the silicon implements the older way
      of snapshoting the statistics. Change the op.
      
      Reported-by: Chris.Healy@zii.aero
      Tested-by: Chris.Healy@zii.aero
      Fixes: 0ac64c39 ("net: dsa: mv88e6xxx: mv88e6161 uses mv88e6320 stats snapshot")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7c4193e
    • Rajasingh Thavamani's avatar
      net: phy: Micrel KSZ8061: link failure after cable connect · b9e298f8
      Rajasingh Thavamani authored
      [ Upstream commit 232ba3a5 ]
      
      With Micrel KSZ8061 PHY, the link may occasionally not come up after
      Ethernet cable connect. The vendor's (Microchip, former Micrel) errata
      sheet 80000688A.pdf descripes the problem and possible workarounds in
      detail, see below.
      The batch implements workaround 1, which permanently fixes the issue.
      
      DESCRIPTION
      Link-up may not occur properly when the Ethernet cable is initially
      connected. This issue occurs more commonly when the cable is connected
      slowly, but it may occur any time a cable is connected. This issue occurs
      in the auto-negotiation circuit, and will not occur if auto-negotiation
      is disabled (which requires that the two link partners be set to the
      same speed and duplex).
      
      END USER IMPLICATIONS
      When this issue occurs, link is not established. Subsequent cable
      plug/unplaug cycle will not correct the issue.
      
      WORk AROUND
      There are four approaches to work around this issue:
      1. This issue can be prevented by setting bit 15 in MMD device address 1,
         register 2, prior to connecting the cable or prior to setting the
         Restart Auto-negotiation bit in register 0h. The MMD registers are
         accessed via the indirect access registers Dh and Eh, or via the Micrel
         EthUtil utility as shown here:
         . if using the EthUtil utility (usually with a Micrel KSZ8061
           Evaluation Board), type the following commands:
           > address 1
           > mmd 1
           > iw 2 b61a
         . Alternatively, write the following registers to write to the
           indirect MMD register:
           Write register Dh, data 0001h
           Write register Eh, data 0002h
           Write register Dh, data 4001h
           Write register Eh, data B61Ah
      2. The issue can be avoided by disabling auto-negotiation in the KSZ8061,
         either by the strapping option, or by clearing bit 12 in register 0h.
         Care must be taken to ensure that the KSZ8061 and the link partner
         will link with the same speed and duplex. Note that the KSZ8061
         defaults to full-duplex when auto-negotiation is off, but other
         devices may default to half-duplex in the event of failed
         auto-negotiation.
      3. The issue can be avoided by connecting the cable prior to powering-up
         or resetting the KSZ8061, and leaving it plugged in thereafter.
      4. If the above measures are not taken and the problem occurs, link can
         be recovered by setting the Restart Auto-Negotiation bit in
         register 0h, or by resetting or power cycling the device. Reset may
         be either hardware reset or software reset (register 0h, bit 15).
      
      PLAN
      This errata will not be corrected in the future revision.
      
      Fixes: 7ab59dc1 ("drivers/net/phy/micrel_phy: Add support for new PHYs")
      Signed-off-by: default avatarAlexander Onnasch <alexander.onnasch@landisgyr.com>
      Signed-off-by: default avatarRajasingh Thavamani <T.Rajasingh@landisgyr.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9e298f8
    • Timur Celik's avatar
      tun: remove unnecessary memory barrier · a7e2560f
      Timur Celik authored
      [ Upstream commit ecef67cb ]
      
      Replace set_current_state with __set_current_state since no memory
      barrier is needed at this point.
      Signed-off-by: default avatarTimur Celik <mail@timurcelik.de>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7e2560f
    • Timur Celik's avatar
      tun: fix blocking read · 32869c80
      Timur Celik authored
      [ Upstream commit 71828b22 ]
      
      This patch moves setting of the current state into the loop. Otherwise
      the task may end up in a busy wait loop if none of the break conditions
      are met.
      Signed-off-by: default avatarTimur Celik <mail@timurcelik.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      32869c80
    • David Ahern's avatar
      mpls: Return error for RTA_GATEWAY attribute · a9494400
      David Ahern authored
      [ Upstream commit be48220e ]
      
      MPLS does not support nexthops with an MPLS address family.
      Specifically, it does not handle RTA_GATEWAY attribute. Make it
      clear by returning an error.
      
      Fixes: 03c05665 ("mpls: Netlink commands to add, remove, and dump routes")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9494400
    • David Ahern's avatar
      ipv6: Return error for RTA_VIA attribute · 87964ee1
      David Ahern authored
      [ Upstream commit e3818541 ]
      
      IPv6 currently does not support nexthops outside of the AF_INET6 family.
      Specifically, it does not handle RTA_VIA attribute. If it is passed
      in a route add request, the actual route added only uses the device
      which is clearly not what the user intended:
      
        $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0
        $ ip ro ls
        ...
        2001:db8:2::/64 dev eth0 metric 1024 pref medium
      
      Catch this and fail the route add:
        $ ip -6 ro add 2001:db8:2::/64 via inet 172.16.1.1 dev eth0
        Error: IPv6 does not support RTA_VIA attribute.
      
      Fixes: 03c05665 ("mpls: Netlink commands to add, remove, and dump routes")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87964ee1
    • David Ahern's avatar
      ipv4: Return error for RTA_VIA attribute · 987e2bfb
      David Ahern authored
      [ Upstream commit b6e9e5df ]
      
      IPv4 currently does not support nexthops outside of the AF_INET family.
      Specifically, it does not handle RTA_VIA attribute. If it is passed
      in a route add request, the actual route added only uses the device
      which is clearly not what the user intended:
      
        $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0
        $ ip ro ls
        ...
        172.16.1.0/24 dev eth0
      
      Catch this and fail the route add:
        $ ip ro add 172.16.1.0/24 via inet6 2001:db8:1::1 dev eth0
        Error: IPv4 does not support RTA_VIA attribute.
      
      Fixes: 03c05665 ("mpls: Netlink commands to add, remove, and dump routes")
      Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      987e2bfb
    • Nazarov Sergey's avatar
      net: avoid use IPCB in cipso_v4_error · 980a7167
      Nazarov Sergey authored
      [ Upstream commit 3da1ed7a ]
      
      Extract IP options in cipso_v4_error and use __icmp_send.
      Signed-off-by: default avatarSergey Nazarov <s-nazarov@yandex.ru>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      980a7167
    • Nazarov Sergey's avatar
      net: Add __icmp_send helper. · 15310038
      Nazarov Sergey authored
      [ Upstream commit 9ef6b42a ]
      
      Add __icmp_send function having ip_options struct parameter
      Signed-off-by: default avatarSergey Nazarov <s-nazarov@yandex.ru>
      Reviewed-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      15310038
    • Igor Druzhinin's avatar
      xen-netback: fix occasional leak of grant ref mappings under memory pressure · 1902c0cb
      Igor Druzhinin authored
      [ Upstream commit 99e87f56 ]
      
      Zero-copy callback flag is not yet set on frag list skb at the moment
      xenvif_handle_frag_list() returns -ENOMEM. This eventually results in
      leaking grant ref mappings since xenvif_zerocopy_callback() is never
      called for these fragments. Those eventually build up and cause Xen
      to kill Dom0 as the slots get reused for new mappings:
      
      "d0v0 Attempt to implicitly unmap a granted PTE c010000329fce005"
      
      That behavior is observed under certain workloads where sudden spikes
      of page cache writes coexist with active atomic skb allocations from
      network traffic. Additionally, rework the logic to deal with frag_list
      deallocation in a single place.
      Signed-off-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Signed-off-by: default avatarIgor Druzhinin <igor.druzhinin@citrix.com>
      Acked-by: default avatarWei Liu <wei.liu2@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1902c0cb
    • Igor Druzhinin's avatar
      xen-netback: don't populate the hash cache on XenBus disconnect · 03756e82
      Igor Druzhinin authored
      [ Upstream commit a2288d4e ]
      
      Occasionally, during the disconnection procedure on XenBus which
      includes hash cache deinitialization there might be some packets
      still in-flight on other processors. Handling of these packets includes
      hashing and hash cache population that finally results in hash cache
      data structure corruption.
      
      In order to avoid this we prevent hashing of those packets if there
      are no queues initialized. In that case RCU protection of queues guards
      the hash cache as well.
      Signed-off-by: default avatarIgor Druzhinin <igor.druzhinin@citrix.com>
      Reviewed-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03756e82
    • Eric Biggers's avatar
      net: socket: set sock->sk to NULL after calling proto_ops::release() · e5e8350d
      Eric Biggers authored
      [ Upstream commit ff7b11aa ]
      
      Commit 9060cb71 ("net: crypto set sk to NULL when af_alg_release.")
      fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
      closed concurrently with fchownat().  However, it ignored that many
      other proto_ops::release() methods don't set sock->sk to NULL and
      therefore allow the same use-after-free:
      
          - base_sock_release
          - bnep_sock_release
          - cmtp_sock_release
          - data_sock_release
          - dn_release
          - hci_sock_release
          - hidp_sock_release
          - iucv_sock_release
          - l2cap_sock_release
          - llcp_sock_release
          - llc_ui_release
          - rawsock_release
          - rfcomm_sock_release
          - sco_sock_release
          - svc_release
          - vcc_release
          - x25_release
      
      Rather than fixing all these and relying on every socket type to get
      this right forever, just make __sock_release() set sock->sk to NULL
      itself after calling proto_ops::release().
      
      Reproducer that produces the KASAN splat when any of these socket types
      are configured into the kernel:
      
          #include <pthread.h>
          #include <stdlib.h>
          #include <sys/socket.h>
          #include <unistd.h>
      
          pthread_t t;
          volatile int fd;
      
          void *close_thread(void *arg)
          {
              for (;;) {
                  usleep(rand() % 100);
                  close(fd);
              }
          }
      
          int main()
          {
              pthread_create(&t, NULL, close_thread, NULL);
              for (;;) {
                  fd = socket(rand() % 50, rand() % 11, 0);
                  fchownat(fd, "", 1000, 1000, 0x1000);
                  close(fd);
              }
          }
      
      Fixes: 86741ec2 ("net: core: Add a UID field to struct sock.")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e5e8350d
    • Mao Wenan's avatar
      net: sit: fix memory leak in sit_init_net() · 46a5caa7
      Mao Wenan authored
      [ Upstream commit 07f12b26 ]
      
      If register_netdev() is failed to register sitn->fb_tunnel_dev,
      it will go to err_reg_dev and forget to free netdev(sitn->fb_tunnel_dev).
      
      BUG: memory leak
      unreferenced object 0xffff888378daad00 (size 512):
        comm "syz-executor.1", pid 4006, jiffies 4295121142 (age 16.115s)
        hex dump (first 32 bytes):
          00 e6 ed c0 83 88 ff ff 00 00 00 00 00 00 00 00  ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      backtrace:
          [<00000000d6dcb63e>] kvmalloc include/linux/mm.h:577 [inline]
          [<00000000d6dcb63e>] kvzalloc include/linux/mm.h:585 [inline]
          [<00000000d6dcb63e>] netif_alloc_netdev_queues net/core/dev.c:8380 [inline]
          [<00000000d6dcb63e>] alloc_netdev_mqs+0x600/0xcc0 net/core/dev.c:8970
          [<00000000867e172f>] sit_init_net+0x295/0xa40 net/ipv6/sit.c:1848
          [<00000000871019fa>] ops_init+0xad/0x3e0 net/core/net_namespace.c:129
          [<00000000319507f6>] setup_net+0x2ba/0x690 net/core/net_namespace.c:314
          [<0000000087db4f96>] copy_net_ns+0x1dc/0x330 net/core/net_namespace.c:437
          [<0000000057efc651>] create_new_namespaces+0x382/0x730 kernel/nsproxy.c:107
          [<00000000676f83de>] copy_namespaces+0x2ed/0x3d0 kernel/nsproxy.c:165
          [<0000000030b74bac>] copy_process.part.27+0x231e/0x6db0 kernel/fork.c:1919
          [<00000000fff78746>] copy_process kernel/fork.c:1713 [inline]
          [<00000000fff78746>] _do_fork+0x1bc/0xe90 kernel/fork.c:2224
          [<000000001c2e0d1c>] do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:290
          [<00000000ec48bd44>] entry_SYSCALL_64_after_hwframe+0x49/0xbe
          [<0000000039acff8a>] 0xffffffffffffffff
      Signed-off-by: default avatarMao Wenan <maowenan@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46a5caa7
    • Heiner Kallweit's avatar
      net: phy: phylink: fix uninitialized variable in phylink_get_mac_state · bf92de28
      Heiner Kallweit authored
      [ Upstream commit d25ed413 ]
      
      When debugging an issue I found implausible values in state->pause.
      Reason in that state->pause isn't initialized and later only single
      bits are changed. Also the struct itself isn't initialized in
      phylink_resolve(). So better initialize state->pause and other
      not yet initialized fields.
      
      v2:
      - use right function name in subject
      v3:
      - initialize additional fields
      
      Fixes: 9525ae83 ("phylink: add phylink infrastructure")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bf92de28
    • YueHaibing's avatar
      net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails · b275f8e6
      YueHaibing authored
      [ Upstream commit 58bdd544 ]
      
      KASAN report this:
      
      BUG: KASAN: null-ptr-deref in nfc_llcp_build_gb+0x37f/0x540 [nfc]
      Read of size 3 at addr 0000000000000000 by task syz-executor.0/5401
      
      CPU: 0 PID: 5401 Comm: syz-executor.0 Not tainted 5.0.0-rc7+ #45
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xfa/0x1ce lib/dump_stack.c:113
       kasan_report+0x171/0x18d mm/kasan/report.c:321
       memcpy+0x1f/0x50 mm/kasan/common.c:130
       nfc_llcp_build_gb+0x37f/0x540 [nfc]
       nfc_llcp_register_device+0x6eb/0xb50 [nfc]
       nfc_register_device+0x50/0x1d0 [nfc]
       nfcsim_device_new+0x394/0x67d [nfcsim]
       ? 0xffffffffc1080000
       nfcsim_init+0x6b/0x1000 [nfcsim]
       do_one_initcall+0xfa/0x5ca init/main.c:887
       do_init_module+0x204/0x5f6 kernel/module.c:3460
       load_module+0x66b2/0x8570 kernel/module.c:3808
       __do_sys_finit_module+0x238/0x2a0 kernel/module.c:3902
       do_syscall_64+0x147/0x600 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007f9cb79dcc58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
      RBP: 00007f9cb79dcc70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f9cb79dd6bc
      R13: 00000000004bcefb R14: 00000000006f7030 R15: 0000000000000004
      
      nfc_llcp_build_tlv will return NULL on fails, caller should check it,
      otherwise will trigger a NULL dereference.
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Fixes: eda21f16 ("NFC: Set MIU and RW values from CONNECT and CC LLCP frames")
      Fixes: d646960f ("NFC: Initial LLCP support")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b275f8e6
    • Sheng Lan's avatar
      net: netem: fix skb length BUG_ON in __skb_to_sgvec · 4de7d306
      Sheng Lan authored
      [ Upstream commit 5845f706 ]
      
      It can be reproduced by following steps:
      1. virtio_net NIC is configured with gso/tso on
      2. configure nginx as http server with an index file bigger than 1M bytes
      3. use tc netem to produce duplicate packets and delay:
         tc qdisc add dev eth0 root netem delay 100ms 10ms 30% duplicate 90%
      4. continually curl the nginx http server to get index file on client
      5. BUG_ON is seen quickly
      
      [10258690.371129] kernel BUG at net/core/skbuff.c:4028!
      [10258690.371748] invalid opcode: 0000 [#1] SMP PTI
      [10258690.372094] CPU: 5 PID: 0 Comm: swapper/5 Tainted: G        W         5.0.0-rc6 #2
      [10258690.372094] RSP: 0018:ffffa05797b43da0 EFLAGS: 00010202
      [10258690.372094] RBP: 00000000000005ea R08: 0000000000000000 R09: 00000000000005ea
      [10258690.372094] R10: ffffa0579334d800 R11: 00000000000002c0 R12: 0000000000000002
      [10258690.372094] R13: 0000000000000000 R14: ffffa05793122900 R15: ffffa0578f7cb028
      [10258690.372094] FS:  0000000000000000(0000) GS:ffffa05797b40000(0000) knlGS:0000000000000000
      [10258690.372094] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [10258690.372094] CR2: 00007f1a6dc00868 CR3: 000000001000e000 CR4: 00000000000006e0
      [10258690.372094] Call Trace:
      [10258690.372094]  <IRQ>
      [10258690.372094]  skb_to_sgvec+0x11/0x40
      [10258690.372094]  start_xmit+0x38c/0x520 [virtio_net]
      [10258690.372094]  dev_hard_start_xmit+0x9b/0x200
      [10258690.372094]  sch_direct_xmit+0xff/0x260
      [10258690.372094]  __qdisc_run+0x15e/0x4e0
      [10258690.372094]  net_tx_action+0x137/0x210
      [10258690.372094]  __do_softirq+0xd6/0x2a9
      [10258690.372094]  irq_exit+0xde/0xf0
      [10258690.372094]  smp_apic_timer_interrupt+0x74/0x140
      [10258690.372094]  apic_timer_interrupt+0xf/0x20
      [10258690.372094]  </IRQ>
      
      In __skb_to_sgvec(), the skb->len is not equal to the sum of the skb's
      linear data size and nonlinear data size, thus BUG_ON triggered.
      Because the skb is cloned and a part of nonlinear data is split off.
      
      Duplicate packet is cloned in netem_enqueue() and may be delayed
      some time in qdisc. When qdisc len reached the limit and returns
      NET_XMIT_DROP, the skb will be retransmit later in write queue.
      the skb will be fragmented by tso_fragment(), the limit size
      that depends on cwnd and mss decrease, the skb's nonlinear
      data will be split off. The length of the skb cloned by netem
      will not be updated. When we use virtio_net NIC and invoke skb_to_sgvec(),
      the BUG_ON trigger.
      
      To fix it, netem returns NET_XMIT_SUCCESS to upper stack
      when it clones a duplicate packet.
      
      Fixes: 35d889d1 ("sch_netem: fix skb leak in netem_enqueue()")
      Signed-off-by: default avatarSheng Lan <lansheng@huawei.com>
      Reported-by: default avatarQin Ji <jiqin.ji@huawei.com>
      Suggested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4de7d306
    • Paul Moore's avatar
      netlabel: fix out-of-bounds memory accesses · fcfe700a
      Paul Moore authored
      [ Upstream commit 5578de48 ]
      
      There are two array out-of-bounds memory accesses, one in
      cipso_v4_map_lvl_valid(), the other in netlbl_bitmap_walk().  Both
      errors are embarassingly simple, and the fixes are straightforward.
      
      As a FYI for anyone backporting this patch to kernels prior to v4.8,
      you'll want to apply the netlbl_bitmap_walk() patch to
      cipso_v4_bitmap_walk() as netlbl_bitmap_walk() doesn't exist before
      Linux v4.8.
      Reported-by: default avatarJann Horn <jannh@google.com>
      Fixes: 446fda4f ("[NetLabel]: CIPSOv4 engine")
      Fixes: 3faa8f98 ("netlabel: Move bitmap manipulation functions to the NetLabel core.")
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fcfe700a