1. 17 Dec, 2018 5 commits
    • Su Yanjun's avatar
      net: 8139cp: fix a BUG triggered by changing mtu with network traffic · 4c65c73c
      Su Yanjun authored
      [ Upstream commit a5d4a892 ]
      
      When changing mtu many times with traffic, a bug is triggered:
      
      [ 1035.684037] kernel BUG at lib/dynamic_queue_limits.c:26!
      [ 1035.684042] invalid opcode: 0000 [#1] SMP
      [ 1035.684049] Modules linked in: loop binfmt_misc 8139cp(OE) macsec
      tcp_diag udp_diag inet_diag unix_diag af_packet_diag netlink_diag tcp_lp
      fuse uinput xt_CHECKSUM iptable_mangle ipt_MASQUERADE
      nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4
      nf_defrag_ipv4 xt_conntrack nf_conntrack ipt_REJECT nf_reject_ipv4 tun
      bridge stp llc ebtable_filter ebtables ip6table_filter devlink
      ip6_tables iptable_filter sunrpc snd_hda_codec_generic snd_hda_intel
      snd_hda_codec snd_hda_core snd_hwdep ppdev snd_seq iosf_mbi crc32_pclmul
      parport_pc snd_seq_device ghash_clmulni_intel parport snd_pcm
      aesni_intel joydev lrw snd_timer virtio_balloon sg gf128mul glue_helper
      ablk_helper cryptd snd soundcore i2c_piix4 pcspkr ip_tables xfs
      libcrc32c sr_mod sd_mod cdrom crc_t10dif crct10dif_generic ata_generic
      [ 1035.684102]  pata_acpi virtio_console qxl drm_kms_helper syscopyarea
      sysfillrect sysimgblt floppy fb_sys_fops crct10dif_pclmul
      crct10dif_common ttm crc32c_intel serio_raw ata_piix drm libata 8139too
      virtio_pci drm_panel_orientation_quirks virtio_ring virtio mii dm_mirror
      dm_region_hash dm_log dm_mod [last unloaded: 8139cp]
      [ 1035.684132] CPU: 9 PID: 25140 Comm: if-mtu-change Kdump: loaded
      Tainted: G           OE  ------------ T 3.10.0-957.el7.x86_64 #1
      [ 1035.684134] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [ 1035.684136] task: ffff8f59b1f5a080 ti: ffff8f5a2e32c000 task.ti:
      ffff8f5a2e32c000
      [ 1035.684149] RIP: 0010:[<ffffffffba3a40d0>]  [<ffffffffba3a40d0>]
      dql_completed+0x180/0x190
      [ 1035.684162] RSP: 0000:ffff8f5a75483e50  EFLAGS: 00010093
      [ 1035.684162] RAX: 00000000000000c2 RBX: ffff8f5a6f91c000 RCX:
      0000000000000000
      [ 1035.684162] RDX: 0000000000000000 RSI: 0000000000000184 RDI:
      ffff8f599fea3ec0
      [ 1035.684162] RBP: ffff8f5a75483ea8 R08: 00000000000000c2 R09:
      0000000000000000
      [ 1035.684162] R10: 00000000000616ef R11: ffff8f5a75483b56 R12:
      ffff8f599fea3e00
      [ 1035.684162] R13: 0000000000000001 R14: 0000000000000000 R15:
      0000000000000184
      [ 1035.684162] FS:  00007fa8434de740(0000) GS:ffff8f5a75480000(0000)
      knlGS:0000000000000000
      [ 1035.684162] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1035.684162] CR2: 00000000004305d0 CR3: 000000024eb66000 CR4:
      00000000001406e0
      [ 1035.684162] Call Trace:
      [ 1035.684162]  <IRQ>
      [ 1035.684162]  [<ffffffffc08cbaf8>] ? cp_interrupt+0x478/0x580 [8139cp]
      [ 1035.684162]  [<ffffffffba14a294>]
      __handle_irq_event_percpu+0x44/0x1c0
      [ 1035.684162]  [<ffffffffba14a442>] handle_irq_event_percpu+0x32/0x80
      [ 1035.684162]  [<ffffffffba14a4cc>] handle_irq_event+0x3c/0x60
      [ 1035.684162]  [<ffffffffba14db29>] handle_fasteoi_irq+0x59/0x110
      [ 1035.684162]  [<ffffffffba02e554>] handle_irq+0xe4/0x1a0
      [ 1035.684162]  [<ffffffffba7795dd>] do_IRQ+0x4d/0xf0
      [ 1035.684162]  [<ffffffffba76b362>] common_interrupt+0x162/0x162
      [ 1035.684162]  <EOI>
      [ 1035.684162]  [<ffffffffba0c2ae4>] ? __wake_up_bit+0x24/0x70
      [ 1035.684162]  [<ffffffffba1e46f5>] ? do_set_pte+0xd5/0x120
      [ 1035.684162]  [<ffffffffba1b64fb>] unlock_page+0x2b/0x30
      [ 1035.684162]  [<ffffffffba1e4879>] do_read_fault.isra.61+0x139/0x1b0
      [ 1035.684162]  [<ffffffffba1e9134>] handle_pte_fault+0x2f4/0xd10
      [ 1035.684162]  [<ffffffffba1ebc6d>] handle_mm_fault+0x39d/0x9b0
      [ 1035.684162]  [<ffffffffba76f5e3>] __do_page_fault+0x203/0x500
      [ 1035.684162]  [<ffffffffba76f9c6>] trace_do_page_fault+0x56/0x150
      [ 1035.684162]  [<ffffffffba76ef42>] do_async_page_fault+0x22/0xf0
      [ 1035.684162]  [<ffffffffba76b788>] async_page_fault+0x28/0x30
      [ 1035.684162] Code: 54 c7 47 54 ff ff ff ff 44 0f 49 ce 48 8b 35 48 2f
      9c 00 48 89 77 58 e9 fe fe ff ff 0f 1f 80 00 00 00 00 41 89 d1 e9 ef fe
      ff ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 55 8d 42 ff 48
      [ 1035.684162] RIP  [<ffffffffba3a40d0>] dql_completed+0x180/0x190
      [ 1035.684162]  RSP <ffff8f5a75483e50>
      
      It's not the same as in 7fe0ee09 patch described.
      As 8139cp uses shared irq mode, other device irq will trigger
      cp_interrupt to execute.
      
      cp_change_mtu
       -> cp_close
       -> cp_open
      
      In cp_close routine  just before free_irq(), some interrupt may occur.
      In my environment, cp_interrupt exectutes and IntrStatus is 0x4,
      exactly TxOk. That will cause cp_tx to wake device queue.
      
      As device queue is started, cp_start_xmit and cp_open will run at same
      time which will cause kernel BUG.
      
      For example:
      [#] for tx descriptor
      
      At start:
      
      [#][#][#]
      num_queued=3
      
      After cp_init_hw->cp_start_hw->netdev_reset_queue:
      
      [#][#][#]
      num_queued=0
      
      When 8139cp starts to work then cp_tx will check
      num_queued mismatchs the complete_bytes.
      
      The patch will check IntrMask before check IntrStatus in cp_interrupt.
      When 8139cp interrupt is disabled, just return.
      Signed-off-by: default avatarSu Yanjun <suyj.fnst@cn.fujitsu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c65c73c
    • Shmulik Ladkani's avatar
      ipv6: sr: properly initialize flowi6 prior passing to ip6_route_output · 25f111f2
      Shmulik Ladkani authored
      [ Upstream commit 1b4e5ad5 ]
      
      In 'seg6_output', stack variable 'struct flowi6 fl6' was missing
      initialization.
      
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: default avatarShmulik Ladkani <shmulik.ladkani@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      25f111f2
    • Stefano Brivio's avatar
      neighbour: Avoid writing before skb->head in neigh_hh_output() · 9380dc7c
      Stefano Brivio authored
      [ Upstream commit e6ac64d4 ]
      
      While skb_push() makes the kernel panic if the skb headroom is less than
      the unaligned hardware header size, it will proceed normally in case we
      copy more than that because of alignment, and we'll silently corrupt
      adjacent slabs.
      
      In the case fixed by the previous patch,
      "ipv6: Check available headroom in ip6_xmit() even without options", we
      end up in neigh_hh_output() with 14 bytes headroom, 14 bytes hardware
      header and write 16 bytes, starting 2 bytes before the allocated buffer.
      
      Always check we're not writing before skb->head and, if the headroom is
      not enough, warn and drop the packet.
      
      v2:
       - instead of panicking with BUG_ON(), WARN_ON_ONCE() and drop the packet
         (Eric Dumazet)
       - if we avoid the panic, though, we need to explicitly check the headroom
         before the memcpy(), otherwise we'll have corrupted slabs on a running
         kernel, after we warn
       - use __skb_push() instead of skb_push(), as the headroom check is
         already implemented here explicitly (Eric Dumazet)
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9380dc7c
    • Stefano Brivio's avatar
      ipv6: Check available headroom in ip6_xmit() even without options · ece6a4b7
      Stefano Brivio authored
      [ Upstream commit 66033f47 ]
      
      Even if we send an IPv6 packet without options, MAX_HEADER might not be
      enough to account for the additional headroom required by alignment of
      hardware headers.
      
      On a configuration without HYPERV_NET, WLAN, AX25, and with IPV6_TUNNEL,
      sending short SCTP packets over IPv4 over L2TP over IPv6, we start with
      100 bytes of allocated headroom in sctp_packet_transmit(), end up with 54
      bytes after l2tp_xmit_skb(), and 14 bytes in ip6_finish_output2().
      
      Those would be enough to append our 14 bytes header, but we're going to
      align that to 16 bytes, and write 2 bytes out of the allocated slab in
      neigh_hh_output().
      
      KASan says:
      
      [  264.967848] ==================================================================
      [  264.967861] BUG: KASAN: slab-out-of-bounds in ip6_finish_output2+0x1aec/0x1c70
      [  264.967866] Write of size 16 at addr 000000006af1c7fe by task netperf/6201
      [  264.967870]
      [  264.967876] CPU: 0 PID: 6201 Comm: netperf Not tainted 4.20.0-rc4+ #1
      [  264.967881] Hardware name: IBM 2827 H43 400 (z/VM 6.4.0)
      [  264.967887] Call Trace:
      [  264.967896] ([<00000000001347d6>] show_stack+0x56/0xa0)
      [  264.967903]  [<00000000017e379c>] dump_stack+0x23c/0x290
      [  264.967912]  [<00000000007bc594>] print_address_description+0xf4/0x290
      [  264.967919]  [<00000000007bc8fc>] kasan_report+0x13c/0x240
      [  264.967927]  [<000000000162f5e4>] ip6_finish_output2+0x1aec/0x1c70
      [  264.967935]  [<000000000163f890>] ip6_finish_output+0x430/0x7f0
      [  264.967943]  [<000000000163fe44>] ip6_output+0x1f4/0x580
      [  264.967953]  [<000000000163882a>] ip6_xmit+0xfea/0x1ce8
      [  264.967963]  [<00000000017396e2>] inet6_csk_xmit+0x282/0x3f8
      [  264.968033]  [<000003ff805fb0ba>] l2tp_xmit_skb+0xe02/0x13e0 [l2tp_core]
      [  264.968037]  [<000003ff80631192>] l2tp_eth_dev_xmit+0xda/0x150 [l2tp_eth]
      [  264.968041]  [<0000000001220020>] dev_hard_start_xmit+0x268/0x928
      [  264.968069]  [<0000000001330e8e>] sch_direct_xmit+0x7ae/0x1350
      [  264.968071]  [<000000000122359c>] __dev_queue_xmit+0x2b7c/0x3478
      [  264.968075]  [<00000000013d2862>] ip_finish_output2+0xce2/0x11a0
      [  264.968078]  [<00000000013d9b14>] ip_finish_output+0x56c/0x8c8
      [  264.968081]  [<00000000013ddd1e>] ip_output+0x226/0x4c0
      [  264.968083]  [<00000000013dbd6c>] __ip_queue_xmit+0x894/0x1938
      [  264.968100]  [<000003ff80bc3a5c>] sctp_packet_transmit+0x29d4/0x3648 [sctp]
      [  264.968116]  [<000003ff80b7bf68>] sctp_outq_flush_ctrl.constprop.5+0x8d0/0xe50 [sctp]
      [  264.968131]  [<000003ff80b7c716>] sctp_outq_flush+0x22e/0x7d8 [sctp]
      [  264.968146]  [<000003ff80b35c68>] sctp_cmd_interpreter.isra.16+0x530/0x6800 [sctp]
      [  264.968161]  [<000003ff80b3410a>] sctp_do_sm+0x222/0x648 [sctp]
      [  264.968177]  [<000003ff80bbddac>] sctp_primitive_ASSOCIATE+0xbc/0xf8 [sctp]
      [  264.968192]  [<000003ff80b93328>] __sctp_connect+0x830/0xc20 [sctp]
      [  264.968208]  [<000003ff80bb11ce>] sctp_inet_connect+0x2e6/0x378 [sctp]
      [  264.968212]  [<0000000001197942>] __sys_connect+0x21a/0x450
      [  264.968215]  [<000000000119aff8>] sys_socketcall+0x3d0/0xb08
      [  264.968218]  [<000000000184ea7a>] system_call+0x2a2/0x2c0
      
      [...]
      
      Just like ip_finish_output2() does for IPv4, check that we have enough
      headroom in ip6_xmit(), and reallocate it if we don't.
      
      This issue is older than git history.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ece6a4b7
    • Jiri Wiesner's avatar
      ipv4: ipv6: netfilter: Adjust the frag mem limit when truesize changes · da4b6929
      Jiri Wiesner authored
      [ Upstream commit ebaf39e6 ]
      
      The *_frag_reasm() functions are susceptible to miscalculating the byte
      count of packet fragments in case the truesize of a head buffer changes.
      The truesize member may be changed by the call to skb_unclone(), leaving
      the fragment memory limit counter unbalanced even if all fragments are
      processed. This miscalculation goes unnoticed as long as the network
      namespace which holds the counter is not destroyed.
      
      Should an attempt be made to destroy a network namespace that holds an
      unbalanced fragment memory limit counter the cleanup of the namespace
      never finishes. The thread handling the cleanup gets stuck in
      inet_frags_exit_net() waiting for the percpu counter to reach zero. The
      thread is usually in running state with a stacktrace similar to:
      
       PID: 1073   TASK: ffff880626711440  CPU: 1   COMMAND: "kworker/u48:4"
        #5 [ffff880621563d48] _raw_spin_lock at ffffffff815f5480
        #6 [ffff880621563d48] inet_evict_bucket at ffffffff8158020b
        #7 [ffff880621563d80] inet_frags_exit_net at ffffffff8158051c
        #8 [ffff880621563db0] ops_exit_list at ffffffff814f5856
        #9 [ffff880621563dd8] cleanup_net at ffffffff814f67c0
       #10 [ffff880621563e38] process_one_work at ffffffff81096f14
      
      It is not possible to create new network namespaces, and processes
      that call unshare() end up being stuck in uninterruptible sleep state
      waiting to acquire the net_mutex.
      
      The bug was observed in the IPv6 netfilter code by Per Sundstrom.
      I thank him for his analysis of the problem. The parts of this patch
      that apply to IPv4 and IPv6 fragment reassembly are preemptive measures.
      Signed-off-by: default avatarJiri Wiesner <jwiesner@suse.com>
      Reported-by: default avatarPer Sundstrom <per.sundstrom@redqube.se>
      Acked-by: default avatarPeter Oskolkov <posk@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da4b6929
  2. 13 Dec, 2018 35 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.88 · 1bb538a3
      Greg Kroah-Hartman authored
      1bb538a3
    • Emmanuel Grumbach's avatar
      mac80211: ignore NullFunc frames in the duplicate detection · 7b6d9327
      Emmanuel Grumbach authored
      commit 990d7184 upstream.
      
      NullFunc packets should never be duplicate just like
      QoS-NullFunc packets.
      
      We saw a client that enters / exits power save with
      NullFunc frames (and not with QoS-NullFunc) despite the
      fact that the association supports HT.
      This specific client also re-uses a non-zero sequence number
      for different NullFunc frames.
      At some point, the client had to send a retransmission of
      the NullFunc frame and we dropped it, leading to a
      misalignment in the power save state.
      Fix this by never consider a NullFunc frame as duplicate,
      just like we do for QoS NullFunc frames.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201449
      
      CC: <stable@vger.kernel.org>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7b6d9327
    • Felix Fietkau's avatar
      mac80211: fix reordering of buffered broadcast packets · bbc4242a
      Felix Fietkau authored
      commit 9ec1190d upstream.
      
      If the buffered broadcast queue contains packets, letting new packets bypass
      that queue can lead to heavy reordering, since the driver is probably throttling
      transmission of buffered multicast packets after beacons.
      
      Keep buffering packets until the buffer has been cleared (and no client
      is in powersave mode).
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbc4242a
    • Felix Fietkau's avatar
      mac80211: ignore tx status for PS stations in ieee80211_tx_status_ext · a2c934fb
      Felix Fietkau authored
      commit a317e65f upstream.
      
      Make it behave like regular ieee80211_tx_status calls, except for the lack of
      filtered frame processing.
      This fixes spurious low-ack triggered disconnections with powersave clients
      connected to an AP.
      
      Fixes: f027c2ac ("mac80211: add ieee80211_tx_status_noskb")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a2c934fb
    • Ben Greear's avatar
      mac80211: Clear beacon_int in ieee80211_do_stop · 9e82abdd
      Ben Greear authored
      commit 5c21e810 upstream.
      
      This fixes stale beacon-int values that would keep a netdev
      from going up.
      
      To reproduce:
      
      Create two VAP on one radio.
      vap1 has beacon-int 100, start it.
      vap2 has beacon-int 240, start it (and it will fail
        because beacon-int mismatch).
      reconfigure vap2 to have beacon-int 100 and start it.
        It will fail because the stale beacon-int 240 will be used
        in the ifup path and hostapd never gets a chance to set the
        new beacon interval.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarBen Greear <greearb@candelatech.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9e82abdd
    • Vasyl Vavrychuk's avatar
      mac80211_hwsim: Timer should be initialized before device registered · 199a81ac
      Vasyl Vavrychuk authored
      commit a1881c9b upstream.
      
      Otherwise if network manager starts configuring Wi-Fi interface
      immidiatelly after getting notification of its creation, we will get
      NULL pointer dereference:
      
        BUG: unable to handle kernel NULL pointer dereference at           (null)
        IP: [<ffffffff95ae94c8>] hrtimer_active+0x28/0x50
        ...
        Call Trace:
         [<ffffffff95ae9997>] ? hrtimer_try_to_cancel+0x27/0x110
         [<ffffffff95ae9a95>] ? hrtimer_cancel+0x15/0x20
         [<ffffffffc0803bf0>] ? mac80211_hwsim_config+0x140/0x1c0 [mac80211_hwsim]
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVasyl Vavrychuk <vasyl.vavrychuk@globallogic.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      199a81ac
    • Dan Williams's avatar
      libnvdimm, pfn: Pad pfn namespaces relative to other regions · 4794d94b
      Dan Williams authored
      commit ae86cbfe upstream.
      
      Commit cfe30b87 "libnvdimm, pmem: adjust for section collisions with
      'System RAM'" enabled Linux to workaround occasions where platform
      firmware arranges for "System RAM" and "Persistent Memory" to collide
      within a single section boundary. Unfortunately, as reported in this
      issue [1], platform firmware can inflict the same collision between
      persistent memory regions.
      
      The approach of interrogating iomem_resource does not work in this
      case because platform firmware may merge multiple regions into a single
      iomem_resource range. Instead provide a method to interrogate regions
      that share the same parent bus.
      
      This is a stop-gap until the core-MM can grow support for hotplug on
      sub-section boundaries.
      
      [1]: https://github.com/pmem/ndctl/issues/76
      
      Fixes: cfe30b87 ("libnvdimm, pmem: adjust for section collisions with...")
      Cc: <stable@vger.kernel.org>
      Reported-by: default avatarPatrick Geary <patrickg@supermicro.com>
      Tested-by: default avatarPatrick Geary <patrickg@supermicro.com>
      Reviewed-by: default avatarVishal Verma <vishal.l.verma@intel.com>
      Signed-off-by: default avatarDan Williams <dan.j.williams@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4794d94b
    • Macpaul Lin's avatar
      kgdboc: fix KASAN global-out-of-bounds bug in param_set_kgdboc_var() · b919b484
      Macpaul Lin authored
      commit dada6a43 upstream.
      
      This patch is trying to fix KE issue due to
      "BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198"
      reported by Syzkaller scan."
      
      [26364:syz-executor0][name:report8t]BUG: KASAN: global-out-of-bounds in param_set_kgdboc_var+0x194/0x198
      [26364:syz-executor0][name:report&]Read of size 1 at addr ffffff900e44f95f by task syz-executor0/26364
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0]CPU: 7 PID: 26364 Comm: syz-executor0 Tainted: G W 0
      [26364:syz-executor0]Call trace:
      [26364:syz-executor0][<ffffff9008095cf8>] dump_bacIctrace+Ox0/0x470
      [26364:syz-executor0][<ffffff9008096de0>] show_stack+0x20/0x30
      [26364:syz-executor0][<ffffff90089cc9c8>] dump_stack+Oxd8/0x128
      [26364:syz-executor0][<ffffff90084edb38>] print_address_description +0x80/0x4a8
      [26364:syz-executor0][<ffffff90084ee270>] kasan_report+Ox178/0x390
      [26364:syz-executor0][<ffffff90084ee4a0>] _asan_report_loadi_noabort+Ox18/0x20
      [26364:syz-executor0][<ffffff9008b092ac>] param_set_kgdboc_var+Ox194/0x198
      [26364:syz-executor0][<ffffff900813af64>] param_attr_store+Ox14c/0x270
      [26364:syz-executor0][<ffffff90081394c8>] module_attr_store+0x60/0x90
      [26364:syz-executor0][<ffffff90086690c0>] sysfs_kl_write+Ox100/0x158
      [26364:syz-executor0][<ffffff9008666d84>] kernfs_fop_write+0x27c/0x3a8
      [26364:syz-executor0][<ffffff9008508264>] do_loop_readv_writev+0x114/0x1b0
      [26364:syz-executor0][<ffffff9008509ac8>] do_readv_writev+0x4f8/0x5e0
      [26364:syz-executor0][<ffffff9008509ce4>] vfs_writev+0x7c/Oxb8
      [26364:syz-executor0][<ffffff900850ba64>] SyS_writev+Oxcc/0x208
      [26364:syz-executor0][<ffffff90080883f0>] elO_svc_naked +0x24/0x28
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0][name:report&]The buggy address belongs to the variable:
      [26364:syz-executor0][name:report&] kgdb_tty_line+Ox3f/0x40
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0][name:report&]Memory state around the buggy address:
      [26364:syz-executor0] ffffff900e44f800: 00 00 00 00 00 04 fa fa fa fa fa fa 00 fa fa fa
      [26364:syz-executor0] ffffff900e44f880: fa fa fa fa 00 fa fa fa fa fa fa fa 00 fa fa fa
      [26364:syz-executor0]> ffffff900e44f900: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00
      [26364:syz-executor0][name:report&]                                       ^
      [26364:syz-executor0] ffffff900e44f980: 00 fa fa fa fa fa fa fa 04 fa fa fa fa fa fa fa
      [26364:syz-executor0] ffffff900e44fa00: 04 fa fa fa fa fa fa fa 00 fa fa fa fa fa fa fa
      [26364:syz-executor0][name:report&]
      [26364:syz-executor0][name:panic&]Disabling lock debugging due to kernel taint
      [26364:syz-executor0]------------[cut here]------------
      
      After checking the source code, we've found there might be an out-of-bounds
      access to "config[len - 1]" array when the variable "len" is zero.
      Signed-off-by: default avatarMacpaul Lin <macpaul@gmail.com>
      Acked-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b919b484
    • Chanho Park's avatar
      tty: do not set TTY_IO_ERROR flag if console port · e4c3cc6b
      Chanho Park authored
      commit 2a486026 upstream.
      
      Since Commit 761ed4a9 ('tty: serial_core: convert uart_close to use
      tty_port_close') and Commit 4dda864d ('tty: serial_core: Fix serial
      console crash on port shutdown), a serial port which is used as
      console can be stuck when logging out if there is a remained process.
      After logged out, agetty will try to grab the serial port but it will
      be failed because the previous process did not release the port
      correctly. To fix this, TTY_IO_ERROR bit should not be enabled of
      tty_port_close if the port is console port.
      
      Reproduce step:
      - Run background processes from serial console
      $ while true; do sleep 10; done &
      
      - Log out
      $ logout
      -> Stuck
      
      - Read journal log by journalctl | tail
      Jan 28 16:07:01 ubuntu systemd[1]: Stopped Serial Getty on ttyAMA0.
      Jan 28 16:07:01 ubuntu systemd[1]: Started Serial Getty on ttyAMA0.
      Jan 28 16:07:02 ubuntu agetty[1643]: /dev/ttyAMA0: not a tty
      
      Fixes: 761ed4a9 ("tty: serial_core: convert uart_close to use tty_port_close")
      Cc: Geert Uytterhoeven <geert+renesas@glider.be>
      Cc: Rob Herring <robh@kernel.org>
      Cc: Jiri Slaby <jslaby@suse.com>
      Signed-off-by: default avatarChanho Park <parkch98@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e4c3cc6b
    • Peter Shih's avatar
      tty: serial: 8250_mtk: always resume the device in probe. · 4f50d3a0
      Peter Shih authored
      commit 100bc3e2 upstream.
      
      serial8250_register_8250_port calls uart_config_port, which calls
      config_port on the port before it tries to power on the port. So we need
      the port to be on before calling serial8250_register_8250_port. Change
      the code to always do a runtime resume in probe before registering port,
      and always do a runtime suspend in remove.
      
      This basically reverts the change in commit 68e5fc4a ("tty: serial:
      8250_mtk: use pm_runtime callbacks for enabling"), but still use
      pm_runtime callbacks.
      
      Fixes: 68e5fc4a ("tty: serial: 8250_mtk: use pm_runtime callbacks for enabling")
      Signed-off-by: default avatarPeter Shih <pihsun@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4f50d3a0
    • Dexuan Cui's avatar
      Drivers: hv: vmbus: Offload the handling of channels to two workqueues · c1063941
      Dexuan Cui authored
      commit 37c2578c upstream.
      
      vmbus_process_offer() mustn't call channel->sc_creation_callback()
      directly for sub-channels, because sc_creation_callback() ->
      vmbus_open() may never get the host's response to the
      OPEN_CHANNEL message (the host may rescind a channel at any time,
      e.g. in the case of hot removing a NIC), and vmbus_onoffer_rescind()
      may not wake up the vmbus_open() as it's blocked due to a non-zero
      vmbus_connection.offer_in_progress, and finally we have a deadlock.
      
      The above is also true for primary channels, if the related device
      drivers use sync probing mode by default.
      
      And, usually the handling of primary channels and sub-channels can
      depend on each other, so we should offload them to different
      workqueues to avoid possible deadlock, e.g. in sync-probing mode,
      NIC1's netvsc_subchan_work() can race with NIC2's netvsc_probe() ->
      rtnl_lock(), and causes deadlock: the former gets the rtnl_lock
      and waits for all the sub-channels to appear, but the latter
      can't get the rtnl_lock and this blocks the handling of sub-channels.
      
      The patch can fix the multiple-NIC deadlock described above for
      v3.x kernels (e.g. RHEL 7.x) which don't support async-probing
      of devices, and v4.4, v4.9, v4.14 and v4.18 which support async-probing
      but don't enable async-probing for Hyper-V drivers (yet).
      
      The patch can also fix the hang issue in sub-channel's handling described
      above for all versions of kernels, including v4.19 and v4.20-rc4.
      
      So actually the patch should be applied to all the existing kernels,
      not only the kernels that have 8195b139.
      
      Fixes: 8195b139 ("hv_netvsc: fix deadlock on hotplug")
      Cc: stable@vger.kernel.org
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: K. Y. Srinivasan <kys@microsoft.com>
      Cc: Haiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      Signed-off-by: default avatarK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1063941
    • Alex Deucher's avatar
      drm/amdgpu/gmc8: update MC firmware for polaris · eff5e74f
      Alex Deucher authored
      commit a81a7c9c upstream.
      
      Some variants require different MC firmware images.
      Acked-by: default avatarChristian König <christian.koenig@amd.com>
      Reviewed-by: default avatarJunwei Zhang <Jerry.Zhang@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eff5e74f
    • Junwei Zhang's avatar
      drm/amdgpu: update mc firmware image for polaris12 variants · 99e6900d
      Junwei Zhang authored
      commit d7fd6765 upstream.
      
      Some new variants require updated firmware.
      Signed-off-by: default avatarJunwei Zhang <Jerry.Zhang@amd.com>
      Reviewed-by: default avatarEvan Quan <evan.quan@amd.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99e6900d
    • Young Xiao's avatar
      Revert commit ef9209b6 "staging: rtl8723bs: Fix indenting errors and an... · c33e7a5a
      Young Xiao authored
      Revert commit ef9209b6 "staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c"
      
      commit 87e4a540 upstream.
      
      pstapriv->max_num_sta is always <= NUM_STA, since max_num_sta is either
      set in _rtw_init_sta_priv() or rtw_set_beacon().
      
      Fixes: ef9209b6 ("staging: rtl8723bs: Fix indenting errors and an off-by-one mistake in core/rtw_mlme_ext.c")
      Signed-off-by: default avatarYoung Xiao <YangX92@hotmail.com>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      c33e7a5a
    • Young Xiao's avatar
      staging: rtl8712: Fix possible buffer overrun · 948ef680
      Young Xiao authored
      commit 300cd664 upstream.
      
      In commit 8b7a13c3 ("staging: r8712u: Fix possible buffer
      overrun") we fix a potential off by one by making the limit smaller.
      The better fix is to make the buffer larger.  This makes it match up
      with the similar code in other drivers.
      
      Fixes: 8b7a13c3 ("staging: r8712u: Fix possible buffer overrun")
      Signed-off-by: default avatarYoung Xiao <YangX92@hotmail.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      948ef680
    • Paulo Alcantara's avatar
      cifs: Fix separator when building path from dentry · b505b9b0
      Paulo Alcantara authored
      commit c988de29 upstream.
      
      Make sure to use the CIFS_DIR_SEP(cifs_sb) as path separator for
      prefixpath too. Fixes a bug with smb1 UNIX extensions.
      
      Fixes: a6b5058f ("fs/cifs: make share unaccessible at root level mountable")
      Signed-off-by: default avatarPaulo Alcantara <palcantara@suse.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b505b9b0
    • Greg Kroah-Hartman's avatar
      staging: atomisp: remove "fun" strncpy warning · a604686c
      Greg Kroah-Hartman authored
      [for older kernels only, atomisp has been removed from upstream]
      
      gcc-8 rightfully warns that this instance of strncpy is just copying
      from the source, to the same source, for a few bytes.  Meaning this call
      does nothing.  As the author of the code obviously meant it to do
      something, but this code must be working properly, just replace the call
      to the kernel internal strscpy() which gcc doesn't know about, so the
      warning goes away.
      
      As this driver was deleted from newer kernel versions, none of this
      really matters but now at least we do not have to worry about a build
      warning in the stable trees.
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a604686c
    • Greg Kroah-Hartman's avatar
      Staging: lustre: remove two build warnings · b4e4b857
      Greg Kroah-Hartman authored
      [for older kernels only, lustre has been removed from upstream]
      
      When someone writes:
      	strncpy(dest, source, sizeof(source));
      they really are just doing the same thing as:
      	strcpy(dest, source);
      but somehow they feel better because they are now using the "safe"
      version of the string functions.  Cargo-cult programming at its
      finest...
      
      gcc-8 rightfully warns you about doing foolish things like this.  Now
      that the stable kernels are all starting to be built using gcc-8, let's
      get rid of this warning so that we do not have to gaze at this horror.
      
      To dropt the warning, just convert the code to using strcpy() so that if
      someone really wants to audit this code and find all of the obvious
      problems, it will be easier to do so.
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4e4b857
    • Kees Cook's avatar
      swiotlb: clean up reporting · f2a4f762
      Kees Cook authored
      commit 7d63fb3a upstream.
      
      This removes needless use of '%p', and refactors the printk calls to
      use pr_*() helpers instead.
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      [bwh: Backported to 4.14:
       - Adjust filename
       - Remove "swiotlb: " prefix from an additional log message]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      f2a4f762
    • Chao Yu's avatar
      f2fs: fix to do sanity check with block address in main area v2 · 38fce19d
      Chao Yu authored
      commit 91291e99 upstream.
      
      This patch adds f2fs_is_valid_blkaddr() in below functions to do sanity
      check with block address to avoid pentential panic:
      - f2fs_grab_read_bio()
      - __written_first_block()
      
      https://bugzilla.kernel.org/show_bug.cgi?id=200465
      
      - Reproduce
      
      - POC (poc.c)
          #define _GNU_SOURCE
          #include <sys/types.h>
          #include <sys/mount.h>
          #include <sys/mman.h>
          #include <sys/stat.h>
          #include <sys/xattr.h>
      
          #include <dirent.h>
          #include <errno.h>
          #include <error.h>
          #include <fcntl.h>
          #include <stdio.h>
          #include <stdlib.h>
          #include <string.h>
          #include <unistd.h>
      
          #include <linux/falloc.h>
          #include <linux/loop.h>
      
          static void activity(char *mpoint) {
      
            char *xattr;
            int err;
      
            err = asprintf(&xattr, "%s/foo/bar/xattr", mpoint);
      
            char buf2[113];
            memset(buf2, 0, sizeof(buf2));
            listxattr(xattr, buf2, sizeof(buf2));
      
          }
      
          int main(int argc, char *argv[]) {
            activity(argv[1]);
            return 0;
          }
      
      - kernel message
      [  844.718738] F2FS-fs (loop0): Mounted with checkpoint version = 2
      [  846.430929] F2FS-fs (loop0): access invalid blkaddr:1024
      [  846.431058] WARNING: CPU: 1 PID: 1249 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.431059] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.431310] CPU: 1 PID: 1249 Comm: a.out Not tainted 4.18.0-rc3+ #1
      [  846.431312] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.431315] RIP: 0010:f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.431316] Code: 00 eb ed 31 c0 83 fa 05 75 ae 48 83 ec 08 48 8b 3f 89 f1 48 c7 c2 fc 0b 0f 8b 48 c7 c6 8b d7 09 8b 88 44 24 07 e8 61 8b ff ff <0f> 0b 0f b6 44 24 07 48 83 c4 08 eb 81 4c 8b 47 10 8b 8f 38 04 00
      [  846.431347] RSP: 0018:ffff961c414a7bc0 EFLAGS: 00010282
      [  846.431349] RAX: 0000000000000000 RBX: ffffc5f787b8ea80 RCX: 0000000000000000
      [  846.431350] RDX: 0000000000000000 RSI: ffff89dfffd165d8 RDI: ffff89dfffd165d8
      [  846.431351] RBP: ffff961c414a7c20 R08: 0000000000000001 R09: 0000000000000248
      [  846.431353] R10: 0000000000000000 R11: 0000000000000248 R12: 0000000000000007
      [  846.431369] R13: ffff89dff5492800 R14: ffff89dfae3aa000 R15: ffff89dff4ff88d0
      [  846.431372] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.431373] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.431374] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.431384] Call Trace:
      [  846.431426]  f2fs_iget+0x6f4/0xe70
      [  846.431430]  ? f2fs_find_entry+0x71/0x90
      [  846.431432]  f2fs_lookup+0x1aa/0x390
      [  846.431452]  __lookup_slow+0x97/0x150
      [  846.431459]  lookup_slow+0x35/0x50
      [  846.431462]  walk_component+0x1c6/0x470
      [  846.431479]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.431488]  ? page_add_file_rmap+0x13/0x200
      [  846.431491]  path_lookupat+0x76/0x230
      [  846.431501]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.431504]  filename_lookup+0xb8/0x1a0
      [  846.431534]  ? _cond_resched+0x16/0x40
      [  846.431541]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.431549]  ? path_listxattr+0x41/0xa0
      [  846.431551]  path_listxattr+0x41/0xa0
      [  846.431570]  do_syscall_64+0x55/0x100
      [  846.431583]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.431607] RIP: 0033:0x7f882de1c0d7
      [  846.431607] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.431639] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.431641] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.431642] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.431643] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.431645] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.431646] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.431648] ---[ end trace abca54df39d14f5c ]---
      [  846.431651] F2FS-fs (loop0): invalid blkaddr: 1024, type: 5, run fsck to fix.
      [  846.431762] WARNING: CPU: 1 PID: 1249 at fs/f2fs/f2fs.h:2697 f2fs_iget+0xd17/0xe70
      [  846.431763] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.431797] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
      [  846.431798] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.431800] RIP: 0010:f2fs_iget+0xd17/0xe70
      [  846.431801] Code: ff ff 48 63 d8 e9 e1 f6 ff ff 48 8b 45 c8 41 b8 05 00 00 00 48 c7 c2 d8 e8 0e 8b 48 c7 c6 1d b0 0a 8b 48 8b 38 e8 f9 b4 00 00 <0f> 0b 48 8b 45 c8 f0 80 48 48 04 e9 d8 f9 ff ff 0f 0b 48 8b 43 18
      [  846.431832] RSP: 0018:ffff961c414a7bd0 EFLAGS: 00010282
      [  846.431834] RAX: 0000000000000000 RBX: ffffc5f787b8ea80 RCX: 0000000000000006
      [  846.431835] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff89dfffd165d0
      [  846.431836] RBP: ffff961c414a7c20 R08: 0000000000000000 R09: 0000000000000273
      [  846.431837] R10: 0000000000000000 R11: ffff89dfad50ca60 R12: 0000000000000007
      [  846.431838] R13: ffff89dff5492800 R14: ffff89dfae3aa000 R15: ffff89dff4ff88d0
      [  846.431840] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.431841] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.431842] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.431846] Call Trace:
      [  846.431850]  ? f2fs_find_entry+0x71/0x90
      [  846.431853]  f2fs_lookup+0x1aa/0x390
      [  846.431856]  __lookup_slow+0x97/0x150
      [  846.431858]  lookup_slow+0x35/0x50
      [  846.431874]  walk_component+0x1c6/0x470
      [  846.431878]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.431880]  ? page_add_file_rmap+0x13/0x200
      [  846.431882]  path_lookupat+0x76/0x230
      [  846.431884]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.431886]  filename_lookup+0xb8/0x1a0
      [  846.431890]  ? _cond_resched+0x16/0x40
      [  846.431891]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.431894]  ? path_listxattr+0x41/0xa0
      [  846.431896]  path_listxattr+0x41/0xa0
      [  846.431898]  do_syscall_64+0x55/0x100
      [  846.431901]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.431902] RIP: 0033:0x7f882de1c0d7
      [  846.431903] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.431934] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.431936] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.431937] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.431939] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.431940] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.431941] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.431943] ---[ end trace abca54df39d14f5d ]---
      [  846.432033] F2FS-fs (loop0): access invalid blkaddr:1024
      [  846.432051] WARNING: CPU: 1 PID: 1249 at fs/f2fs/checkpoint.c:154 f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.432051] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.432085] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
      [  846.432086] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.432089] RIP: 0010:f2fs_is_valid_blkaddr+0x10f/0x160
      [  846.432089] Code: 00 eb ed 31 c0 83 fa 05 75 ae 48 83 ec 08 48 8b 3f 89 f1 48 c7 c2 fc 0b 0f 8b 48 c7 c6 8b d7 09 8b 88 44 24 07 e8 61 8b ff ff <0f> 0b 0f b6 44 24 07 48 83 c4 08 eb 81 4c 8b 47 10 8b 8f 38 04 00
      [  846.432120] RSP: 0018:ffff961c414a7900 EFLAGS: 00010286
      [  846.432122] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000006
      [  846.432123] RDX: 0000000000000000 RSI: 0000000000000096 RDI: ffff89dfffd165d0
      [  846.432124] RBP: ffff89dff5492800 R08: 0000000000000001 R09: 000000000000029d
      [  846.432125] R10: ffff961c414a7820 R11: 000000000000029d R12: 0000000000000400
      [  846.432126] R13: 0000000000000000 R14: ffff89dff4ff88d0 R15: 0000000000000000
      [  846.432128] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.432130] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.432131] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.432135] Call Trace:
      [  846.432151]  f2fs_wait_on_block_writeback+0x20/0x110
      [  846.432158]  f2fs_grab_read_bio+0xbc/0xe0
      [  846.432161]  f2fs_submit_page_read+0x21/0x280
      [  846.432163]  f2fs_get_read_data_page+0xb7/0x3c0
      [  846.432165]  f2fs_get_lock_data_page+0x29/0x1e0
      [  846.432167]  f2fs_get_new_data_page+0x148/0x550
      [  846.432170]  f2fs_add_regular_entry+0x1d2/0x550
      [  846.432178]  ? __switch_to+0x12f/0x460
      [  846.432181]  f2fs_add_dentry+0x6a/0xd0
      [  846.432184]  f2fs_do_add_link+0xe9/0x140
      [  846.432186]  __recover_dot_dentries+0x260/0x280
      [  846.432189]  f2fs_lookup+0x343/0x390
      [  846.432193]  __lookup_slow+0x97/0x150
      [  846.432195]  lookup_slow+0x35/0x50
      [  846.432208]  walk_component+0x1c6/0x470
      [  846.432212]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.432215]  ? page_add_file_rmap+0x13/0x200
      [  846.432217]  path_lookupat+0x76/0x230
      [  846.432219]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.432221]  filename_lookup+0xb8/0x1a0
      [  846.432224]  ? _cond_resched+0x16/0x40
      [  846.432226]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.432228]  ? path_listxattr+0x41/0xa0
      [  846.432230]  path_listxattr+0x41/0xa0
      [  846.432233]  do_syscall_64+0x55/0x100
      [  846.432235]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.432237] RIP: 0033:0x7f882de1c0d7
      [  846.432237] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.432269] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.432271] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.432272] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.432273] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.432274] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.432275] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.432277] ---[ end trace abca54df39d14f5e ]---
      [  846.432279] F2FS-fs (loop0): invalid blkaddr: 1024, type: 5, run fsck to fix.
      [  846.432376] WARNING: CPU: 1 PID: 1249 at fs/f2fs/f2fs.h:2697 f2fs_wait_on_block_writeback+0xb1/0x110
      [  846.432376] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.432410] CPU: 1 PID: 1249 Comm: a.out Tainted: G        W         4.18.0-rc3+ #1
      [  846.432411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.432413] RIP: 0010:f2fs_wait_on_block_writeback+0xb1/0x110
      [  846.432414] Code: 66 90 f0 ff 4b 34 74 59 5b 5d c3 48 8b 7d 00 41 b8 05 00 00 00 89 d9 48 c7 c2 d8 e8 0e 8b 48 c7 c6 1d b0 0a 8b e8 df bc fd ff <0f> 0b f0 80 4d 48 04 e9 67 ff ff ff 48 8b 03 48 c1 e8 37 83 e0 07
      [  846.432445] RSP: 0018:ffff961c414a7910 EFLAGS: 00010286
      [  846.432447] RAX: 0000000000000000 RBX: 0000000000000400 RCX: 0000000000000006
      [  846.432448] RDX: 0000000000000000 RSI: 0000000000000092 RDI: ffff89dfffd165d0
      [  846.432449] RBP: ffff89dff5492800 R08: 0000000000000000 R09: 00000000000002d1
      [  846.432450] R10: ffff961c414a7820 R11: ffff89dfad50cf80 R12: 0000000000000400
      [  846.432451] R13: 0000000000000000 R14: ffff89dff4ff88d0 R15: 0000000000000000
      [  846.432453] FS:  00007f882e2fb700(0000) GS:ffff89dfffd00000(0000) knlGS:0000000000000000
      [  846.432454] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.432455] CR2: 0000000001a88008 CR3: 00000001eb572000 CR4: 00000000000006e0
      [  846.432459] Call Trace:
      [  846.432463]  f2fs_grab_read_bio+0xbc/0xe0
      [  846.432464]  f2fs_submit_page_read+0x21/0x280
      [  846.432466]  f2fs_get_read_data_page+0xb7/0x3c0
      [  846.432468]  f2fs_get_lock_data_page+0x29/0x1e0
      [  846.432470]  f2fs_get_new_data_page+0x148/0x550
      [  846.432473]  f2fs_add_regular_entry+0x1d2/0x550
      [  846.432475]  ? __switch_to+0x12f/0x460
      [  846.432477]  f2fs_add_dentry+0x6a/0xd0
      [  846.432480]  f2fs_do_add_link+0xe9/0x140
      [  846.432483]  __recover_dot_dentries+0x260/0x280
      [  846.432485]  f2fs_lookup+0x343/0x390
      [  846.432488]  __lookup_slow+0x97/0x150
      [  846.432490]  lookup_slow+0x35/0x50
      [  846.432505]  walk_component+0x1c6/0x470
      [  846.432509]  ? memcg_kmem_charge_memcg+0x70/0x90
      [  846.432511]  ? page_add_file_rmap+0x13/0x200
      [  846.432513]  path_lookupat+0x76/0x230
      [  846.432515]  ? __alloc_pages_nodemask+0xfc/0x280
      [  846.432517]  filename_lookup+0xb8/0x1a0
      [  846.432520]  ? _cond_resched+0x16/0x40
      [  846.432522]  ? kmem_cache_alloc+0x160/0x1d0
      [  846.432525]  ? path_listxattr+0x41/0xa0
      [  846.432526]  path_listxattr+0x41/0xa0
      [  846.432529]  do_syscall_64+0x55/0x100
      [  846.432531]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  846.432533] RIP: 0033:0x7f882de1c0d7
      [  846.432533] Code: f0 ff ff 73 01 c3 48 8b 0d be dd 2b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 b8 c2 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 91 dd 2b 00 f7 d8 64 89 01 48
      [  846.432565] RSP: 002b:00007ffe8e66c238 EFLAGS: 00000202 ORIG_RAX: 00000000000000c2
      [  846.432567] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f882de1c0d7
      [  846.432568] RDX: 0000000000000071 RSI: 00007ffe8e66c280 RDI: 0000000001a880c0
      [  846.432569] RBP: 00007ffe8e66c300 R08: 0000000001a88010 R09: 0000000000000000
      [  846.432570] R10: 00000000000001ab R11: 0000000000000202 R12: 0000000000400550
      [  846.432571] R13: 00007ffe8e66c400 R14: 0000000000000000 R15: 0000000000000000
      [  846.432573] ---[ end trace abca54df39d14f5f ]---
      [  846.434280] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
      [  846.434424] PGD 80000001ebd3a067 P4D 80000001ebd3a067 PUD 1eb1ae067 PMD 0
      [  846.434551] Oops: 0000 [#1] SMP PTI
      [  846.434697] CPU: 0 PID: 44 Comm: kworker/u5:0 Tainted: G        W         4.18.0-rc3+ #1
      [  846.434805] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [  846.435000] Workqueue: fscrypt_read_queue decrypt_work
      [  846.435174] RIP: 0010:fscrypt_do_page_crypto+0x6e/0x2d0
      [  846.435351] Code: 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 88 00 00 00 31 c0 e8 43 c2 e0 ff 49 8b 86 48 02 00 00 85 ed c7 44 24 70 00 00 00 00 <48> 8b 58 08 0f 84 14 02 00 00 48 8b 78 10 48 8b 0c 24 48 c7 84 24
      [  846.435696] RSP: 0018:ffff961c40f9bd60 EFLAGS: 00010206
      [  846.435870] RAX: 0000000000000000 RBX: ffffc5f787719b80 RCX: ffffc5f787719b80
      [  846.436051] RDX: ffffffff8b9f4b88 RSI: ffffffff8b0ae622 RDI: ffff961c40f9bdb8
      [  846.436261] RBP: 0000000000001000 R08: ffffc5f787719b80 R09: 0000000000001000
      [  846.436433] R10: 0000000000000018 R11: fefefefefefefeff R12: ffffc5f787719b80
      [  846.436562] R13: ffffc5f787719b80 R14: ffff89dff4ff88d0 R15: 0ffff89dfaddee60
      [  846.436658] FS:  0000000000000000(0000) GS:ffff89dfffc00000(0000) knlGS:0000000000000000
      [  846.436758] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.436898] CR2: 0000000000000008 CR3: 00000001eddd0000 CR4: 00000000000006f0
      [  846.437001] Call Trace:
      [  846.437181]  ? check_preempt_wakeup+0xf2/0x230
      [  846.437276]  ? check_preempt_curr+0x7c/0x90
      [  846.437370]  fscrypt_decrypt_page+0x48/0x4d
      [  846.437466]  __fscrypt_decrypt_bio+0x5b/0x90
      [  846.437542]  decrypt_work+0x12/0x20
      [  846.437651]  process_one_work+0x15e/0x3d0
      [  846.437740]  worker_thread+0x4c/0x440
      [  846.437848]  kthread+0xf8/0x130
      [  846.437938]  ? rescuer_thread+0x350/0x350
      [  846.438022]  ? kthread_associate_blkcg+0x90/0x90
      [  846.438117]  ret_from_fork+0x35/0x40
      [  846.438201] Modules linked in: snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev soundcore serio_raw i2c_piix4 mac_hid ib_iser rdma_cm iw_cm ib_cm ib_core configfs iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 raid10 raid456 libcrc32c async_raid6_recov async_memcpy async_pq async_xor xor async_tx raid6_pq raid1 raid0 multipath linear qxl ttm crct10dif_pclmul crc32_pclmul drm_kms_helper ghash_clmulni_intel syscopyarea sysfillrect sysimgblt fb_sys_fops pcbc drm 8139too aesni_intel 8139cp floppy psmouse mii aes_x86_64 crypto_simd pata_acpi cryptd glue_helper
      [  846.438653] CR2: 0000000000000008
      [  846.438713] ---[ end trace abca54df39d14f60 ]---
      [  846.438796] RIP: 0010:fscrypt_do_page_crypto+0x6e/0x2d0
      [  846.438844] Code: 00 65 48 8b 04 25 28 00 00 00 48 89 84 24 88 00 00 00 31 c0 e8 43 c2 e0 ff 49 8b 86 48 02 00 00 85 ed c7 44 24 70 00 00 00 00 <48> 8b 58 08 0f 84 14 02 00 00 48 8b 78 10 48 8b 0c 24 48 c7 84 24
      [  846.439084] RSP: 0018:ffff961c40f9bd60 EFLAGS: 00010206
      [  846.439176] RAX: 0000000000000000 RBX: ffffc5f787719b80 RCX: ffffc5f787719b80
      [  846.440927] RDX: ffffffff8b9f4b88 RSI: ffffffff8b0ae622 RDI: ffff961c40f9bdb8
      [  846.442083] RBP: 0000000000001000 R08: ffffc5f787719b80 R09: 0000000000001000
      [  846.443284] R10: 0000000000000018 R11: fefefefefefefeff R12: ffffc5f787719b80
      [  846.444448] R13: ffffc5f787719b80 R14: ffff89dff4ff88d0 R15: 0ffff89dfaddee60
      [  846.445558] FS:  0000000000000000(0000) GS:ffff89dfffc00000(0000) knlGS:0000000000000000
      [  846.446687] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  846.447796] CR2: 0000000000000008 CR3: 00000001eddd0000 CR4: 00000000000006f0
      
      - Location
      https://elixir.bootlin.com/linux/v4.18-rc4/source/fs/crypto/crypto.c#L149
      	struct crypto_skcipher *tfm = ci->ci_ctfm;
      Here ci can be NULL
      
      Note that this issue maybe require CONFIG_F2FS_FS_ENCRYPTION=y to reproduce.
      
      Reported-by Wen Xu <wen.xu@gatech.edu>
      Signed-off-by: default avatarChao Yu <yuchao0@huawei.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
      [bwh: Backported to 4.14: adjust context]
      Signed-off-by: default avatarBen Hutchings <ben.hutchings@codethink.co.uk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      38fce19d
    • Mathias Nyman's avatar
      xhci: Prevent U1/U2 link pm states if exit latency is too long · cacfa255
      Mathias Nyman authored
      commit 0472bf06 upstream.
      
      Don't allow USB3 U1 or U2 if the latency to wake up from the U-state
      reaches the service interval for a periodic endpoint.
      
      This is according to xhci 1.1 specification section 4.23.5.2 extra note:
      
      "Software shall ensure that a device is prevented from entering a U-state
       where its worst case exit latency approaches the ESIT."
      
      Allowing too long exit latencies for periodic endpoint confuses xHC
      internal scheduling, and new devices may fail to enumerate with a
      "Not enough bandwidth for new device state" error from the host.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cacfa255
    • Sandeep Singh's avatar
      xhci: workaround CSS timeout on AMD SNPS 3.0 xHC · 3ff01312
      Sandeep Singh authored
      commit a7d57abc upstream.
      
      Occasionally AMD SNPS 3.0 xHC does not respond to
      CSS when set, also it does not flag anything on SRE and HCE
      to point the internal xHC errors on USBSTS register. This stalls
      the entire system wide suspend and there is no point in stalling
      just because of xHC CSS is not responding.
      
      To work around this problem, if the xHC does not flag
      anything on SRE and HCE, we can skip the CSS
      timeout and allow the system to continue the suspend. Once the
      system resume happens we can internally reset the controller
      using XHCI_RESET_ON_RESUME quirk
      Signed-off-by: default avatarShyam Sundar S K <Shyam-sundar.S-k@amd.com>
      Signed-off-by: default avatarSandeep Singh <Sandeep.Singh@amd.com>
      cc: Nehal Shah <Nehal-bakulchandra.Shah@amd.com>
      Cc: <stable@vger.kernel.org>
      Tested-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarMathias Nyman <mathias.nyman@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ff01312
    • Kees Cook's avatar
      ARM: 8806/1: kprobes: Fix false positive with FORTIFY_SOURCE · f9e0bc71
      Kees Cook authored
      commit e46daee5 upstream.
      
      The arm compiler internally interprets an inline assembly label
      as an unsigned long value, not a pointer. As a result, under
      CONFIG_FORTIFY_SOURCE, the address of a label has a size of 4 bytes,
      which was tripping the runtime checks. Instead, we can just cast the label
      (as done with the size calculations earlier).
      
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1639397Reported-by: default avatarWilliam Cohen <wcohen@redhat.com>
      Fixes: 6974f0c4 ("include/linux/string.h: add the option of fortified string.h functions")
      Cc: stable@vger.kernel.org
      Acked-by: default avatarLaura Abbott <labbott@redhat.com>
      Acked-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Tested-by: default avatarWilliam Cohen <wcohen@redhat.com>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9e0bc71
    • Bin Liu's avatar
      dmaengine: cppi41: delete channel from pending list when stop channel · e47a6e68
      Bin Liu authored
      commit 59861547 upstream.
      
      The driver defines three states for a cppi channel.
      - idle: .chan_busy == 0 && not in .pending list
      - pending: .chan_busy == 0 && in .pending list
      - busy: .chan_busy == 1 && not in .pending list
      
      There are cases in which the cppi channel could be in the pending state
      when cppi41_dma_issue_pending() is called after cppi41_runtime_suspend()
      is called.
      
      cppi41_stop_chan() has a bug for these cases to set channels to idle state.
      It only checks the .chan_busy flag, but not the .pending list, then later
      when cppi41_runtime_resume() is called the channels in .pending list will
      be transitioned to busy state.
      
      Removing channels from the .pending list solves the problem.
      
      Fixes: 975faaeb ("dma: cppi41: start tear down only if channel is busy")
      Cc: stable@vger.kernel.org # v3.15+
      Signed-off-by: default avatarBin Liu <b-liu@ti.com>
      Reviewed-by: default avatarPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e47a6e68
    • Andy Shevchenko's avatar
      dmaengine: dw: Fix FIFO size for Intel Merrifield · bc3d506a
      Andy Shevchenko authored
      commit ffe843b1 upstream.
      
      Intel Merrifield has a reduced size of FIFO used in iDMA 32-bit controller,
      i.e. 512 bytes instead of 1024.
      
      Fix this by partitioning it as 64 bytes per channel.
      
      Note, in the future we might switch to 'fifo-size' property instead of
      hard coded value.
      
      Fixes: 199244d6 ("dmaengine: dw: add support of iDMA 32-bit hardware")
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bc3d506a
    • Chuck Lever's avatar
      SUNRPC: Fix leak of krb5p encode pages · e3dccb52
      Chuck Lever authored
      commit 8dae5398 upstream.
      
      call_encode can be invoked more than once per RPC call. Ensure that
      each call to gss_wrap_req_priv does not overwrite pointers to
      previously allocated memory.
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Cc: stable@kernel.org
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3dccb52
    • Stefan Hajnoczi's avatar
      vhost/vsock: fix use-after-free in network stack callers · f15c072d
      Stefan Hajnoczi authored
      commit 834e772c upstream.
      
      If the network stack calls .send_pkt()/.cancel_pkt() during .release(),
      a struct vhost_vsock use-after-free is possible.  This occurs because
      .release() does not wait for other CPUs to stop using struct
      vhost_vsock.
      
      Switch to an RCU-enabled hashtable (indexed by guest CID) so that
      .release() can wait for other CPUs by calling synchronize_rcu().  This
      also eliminates vhost_vsock_lock acquisition in the data path so it
      could have a positive effect on performance.
      
      This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt".
      
      Cc: stable@vger.kernel.org
      Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com
      Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com
      Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com
      Signed-off-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f15c072d
    • Halil Pasic's avatar
      virtio/s390: fix race in ccw_io_helper() · 52b993b4
      Halil Pasic authored
      commit 78b1a52e upstream.
      
      While ccw_io_helper() seems like intended to be exclusive in a sense that
      it is supposed to facilitate I/O for at most one thread at any given
      time, there is actually nothing ensuring that threads won't pile up at
      vcdev->wait_q. If they do, all threads get woken up and see the status
      that belongs to some other request than their own. This can lead to bugs.
      For an example see:
      https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1788432
      
      This race normally does not cause any problems. The operations provided
      by struct virtio_config_ops are usually invoked in a well defined
      sequence, normally don't fail, and are normally used quite infrequent
      too.
      
      Yet, if some of the these operations are directly triggered via sysfs
      attributes, like in the case described by the referenced bug, userspace
      is given an opportunity to force races by increasing the frequency of the
      given operations.
      
      Let us fix the problem by ensuring, that for each device, we finish
      processing the previous request before starting with a new one.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Reported-by: default avatarColin Ian King <colin.king@canonical.com>
      Cc: stable@vger.kernel.org
      Message-Id: <20180925121309.58524-3-pasic@linux.ibm.com>
      Signed-off-by: default avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52b993b4
    • Halil Pasic's avatar
      virtio/s390: avoid race on vcdev->config · 73f6d525
      Halil Pasic authored
      commit 2448a299 upstream.
      
      Currently we have a race on vcdev->config in virtio_ccw_get_config() and
      in virtio_ccw_set_config().
      
      This normally does not cause problems, as these are usually infrequent
      operations. However, for some devices writing to/reading from the config
      space can be triggered through sysfs attributes. For these, userspace can
      force the race by increasing the frequency.
      Signed-off-by: default avatarHalil Pasic <pasic@linux.ibm.com>
      Cc: stable@vger.kernel.org
      Message-Id: <20180925121309.58524-2-pasic@linux.ibm.com>
      Signed-off-by: default avatarCornelia Huck <cohuck@redhat.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73f6d525
    • Takashi Iwai's avatar
      ALSA: hda/realtek - Fix speaker output regression on Thinkpad T570 · 01a02e66
      Takashi Iwai authored
      commit 54947cd6 upstream.
      
      We've got a regression report for some Thinkpad models (at least
      T570s) which shows the too low speaker output volume.  The bisection
      leaded to the commit 61fcf8ec ("ALSA: hda/realtek - Enable Thinkpad
      Dock device for ALC298 platform"), and it's basically adding the two
      pin configurations for the dock, and looks harmless.
      
      The real culprit seems, though, that the DAC assignment for the
      speaker pin is implicitly assumed on these devices, i.e. pin NID 0x14
      to be coupled with DAC NID 0x03.  When more pins are configured by the
      commit above, the auto-parser changes the DAC assignment, and this
      resulted in the regression.
      
      As a workaround, just provide the fixed pin / DAC mapping table for
      this Thinkpad fixup function.  It's no generic solution, but the
      problem itself is pretty much device-specific, so must be good
      enough.
      
      Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1554304
      Fixes: 61fcf8ec ("ALSA: hda/realtek - Enable Thinkpad Dock device for ALC298 platform")
      Cc: <stable@vger.kernel.org>
      Reported-and-tested-by: default avatarJeremy Cline <jcline@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01a02e66
    • Takashi Iwai's avatar
      ALSA: pcm: Fix interval evaluation with openmin/max · 7852f54f
      Takashi Iwai authored
      commit 5363857b upstream.
      
      As addressed in alsa-lib (commit b420056604f0), we need to fix the
      case where the evaluation of PCM interval "(x x+1]" leading to
      -EINVAL.  After applying rules, such an interval may be translated as
      "(x x+1)".
      
      Fixes: ff2d6acd ("ALSA: pcm: Fix snd_interval_refine first/last with open min/max")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7852f54f
    • Takashi Iwai's avatar
      ALSA: pcm: Call snd_pcm_unlink() conditionally at closing · cabb9539
      Takashi Iwai authored
      commit b51abed8 upstream.
      
      Currently the PCM core calls snd_pcm_unlink() always unconditionally
      at closing a stream.  However, since snd_pcm_unlink() invokes the
      global rwsem down, the lock can be easily contended.  More badly, when
      a thread runs in a high priority RT-FIFO, it may stall at spinning.
      
      Basically the call of snd_pcm_unlink() is required only for the linked
      streams that are already rare occasion.  For normal use cases, this
      code path is fairly superfluous.
      
      As an optimization (and also as a workaround for the RT problem
      above in normal situations without linked streams), this patch adds a
      check before calling snd_pcm_unlink() and calls it only when needed.
      Reported-by: default avatarChanho Min <chanho.min@lge.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cabb9539
    • Chanho Min's avatar
      ALSA: pcm: Fix starvation on down_write_nonblock() · 108ab9ea
      Chanho Min authored
      commit b888a5f7 upstream.
      
      Commit 67ec1072 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM
      stream") fixes deadlock for non-atomic PCM stream. But, This patch
      causes antother stuck.
      If writer is RT thread and reader is a normal thread, the reader
      thread will be difficult to get scheduled. It may not give chance to
      release readlocks and writer gets stuck for a long time if they are
      pinned to single cpu.
      
      The deadlock described in the previous commit is because the linux
      rwsem queues like a FIFO. So, we might need non-FIFO writelock, not
      non-block one.
      
      My suggestion is that the writer gives reader a chance to be scheduled
      by using the minimum msleep() instaed of spinning without blocking by
      writer. Also, The *_nonblock may be changed to *_nonfifo appropriately
      to this concept.
      In terms of performance, when trylock is failed, this minimum periodic
      msleep will have the same performance as the tick-based
      schedule()/wake_up_q().
      
      [ Although this has a fairly high performance penalty, the relevant
        code path became already rare due to the previous commit ("ALSA:
        pcm: Call snd_pcm_unlink() conditionally at closing").  That is, now
        this unconditional msleep appears only when using linked streams,
        and this must be a rare case.  So we accept this as a quick
        workaround until finding a more suitable one -- tiwai ]
      
      Fixes: 67ec1072 ("ALSA: pcm: Fix rwsem deadlock for non-atomic PCM stream")
      Suggested-by: default avatarWonmin Jung <wonmin.jung@lge.com>
      Signed-off-by: default avatarChanho Min <chanho.min@lge.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      108ab9ea
    • Kai-Heng Feng's avatar
      ALSA: hda: Add support for AMD Stoney Ridge · 0618c71c
      Kai-Heng Feng authored
      commit 3deef52c upstream.
      
      It's similar to other AMD audio devices, it also supports D3, which can
      save some power drain.
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0618c71c
    • Hui Peng's avatar
      ALSA: usb-audio: Fix UAF decrement if card has no live interfaces in card.c · 19f74e45
      Hui Peng authored
      commit 5f8cf712 upstream.
      
      If a USB sound card reports 0 interfaces, an error condition is triggered
      and the function usb_audio_probe errors out. In the error path, there was a
      use-after-free vulnerability where the memory object of the card was first
      freed, followed by a decrement of the number of active chips. Moving the
      decrement above the atomic_dec fixes the UAF.
      
      [ The original problem was introduced in 3.1 kernel, while it was
        developed in a different form.  The Fixes tag below indicates the
        original commit but it doesn't mean that the patch is applicable
        cleanly. -- tiwai ]
      
      Fixes: 362e4e49 ("ALSA: usb-audio - clear chip->probing on error exit")
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Signed-off-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19f74e45