1. 16 Jun, 2018 24 commits
    • Paolo Bonzini's avatar
      kvm: x86: use correct privilege level for sgdt/sidt/fxsave/fxrstor access · 53e4b19f
      Paolo Bonzini authored
      commit 3c9fa24c upstream.
      
      The functions that were used in the emulation of fxrstor, fxsave, sgdt and
      sidt were originally meant for task switching, and as such they did not
      check privilege levels.  This is very bad when the same functions are used
      in the emulation of unprivileged instructions.  This is CVE-2018-10853.
      
      The obvious fix is to add a new argument to ops->read_std and ops->write_std,
      which decides whether the access is a "system" access or should use the
      processor's CPL.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      53e4b19f
    • Dave Martin's avatar
      tty: pl011: Avoid spuriously stuck-off interrupts · 739ac8f4
      Dave Martin authored
      commit 4a7e625c upstream.
      
      Commit 9b96fbac ("serial: PL011: clear pending interrupts")
      clears the RX and receive timeout interrupts on pl011 startup, to
      avoid a screaming-interrupt scenario that can occur when the
      firmware or bootloader leaves these interrupts asserted.
      
      This has been noted as an issue when running Linux on qemu [1].
      
      Unfortunately, the above fix seems to lead to potential
      misbehaviour if the RX FIFO interrupt is asserted _non_ spuriously
      on driver startup, if the RX FIFO is also already full to the
      trigger level.
      
      Clearing the RX FIFO interrupt does not change the FIFO fill level.
      In this scenario, because the interrupt is now clear and because
      the FIFO is already full to the trigger level, no new assertion of
      the RX FIFO interrupt can occur unless the FIFO is drained back
      below the trigger level.  This never occurs because the pl011
      driver is waiting for an RX FIFO interrupt to tell it that there is
      something to read, and does not read the FIFO at all until that
      interrupt occurs.
      
      Thus, simply clearing "spurious" interrupts on startup may be
      misguided, since there is no way to be sure that the interrupts are
      truly spurious, and things can go wrong if they are not.
      
      This patch instead clears the interrupt condition by draining the
      RX FIFO during UART startup, after clearing any potentially
      spurious interrupt.  This should ensure that an interrupt will
      definitely be asserted if the RX FIFO subsequently becomes
      sufficiently full.
      
      The drain is done at the point of enabling interrupts only.  This
      means that it will occur any time the UART is newly opened through
      the tty layer.  It will not apply to polled-mode use of the UART by
      kgdboc: since that scenario cannot use interrupts by design, this
      should not matter.  kgdboc will interact badly with "normal" use of
      the UART in any case: this patch makes no attempt to paper over
      such issues.
      
      This patch does not attempt to address the case where the RX FIFO
      fills faster than it can be drained: that is a pathological
      hardware design problem that is beyond the scope of the driver to
      work around.  As a failsafe, the number of poll iterations for
      draining the FIFO is limited to twice the FIFO size.  This will
      ensure that the kernel at least boots even if it is impossible to
      drain the FIFO for some reason.
      
      [1] [Qemu-devel] [Qemu-arm] [PATCH] pl011: do not put into fifo
      before enabled the interruption
      https://lists.gnu.org/archive/html/qemu-devel/2018-01/msg06446.htmlReported-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Cc: Russell King <linux@armlinux.org.uk>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Peter Maydell <peter.maydell@linaro.org>
      Fixes: 9b96fbac ("serial: PL011: clear pending interrupts")
      Signed-off-by: default avatarDave Martin <Dave.Martin@arm.com>
      Cc: stable <stable@vger.kernel.org>
      Tested-by: default avatarWei Xu <xuwei5@hisilicon.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      739ac8f4
    • Gil Kupfer's avatar
      vmw_balloon: fixing double free when batching mode is off · 5ee296fd
      Gil Kupfer authored
      commit b23220fe upstream.
      
      The balloon.page field is used for two different purposes if batching is
      on or off. If batching is on, the field point to the page which is used
      to communicate with with the hypervisor. If it is off, balloon.page
      points to the page that is about to be (un)locked.
      
      Unfortunately, this dual-purpose of the field introduced a bug: when the
      balloon is popped (e.g., when the machine is reset or the balloon driver
      is explicitly removed), the balloon driver frees, unconditionally, the
      page that is held in balloon.page.  As a result, if batching is
      disabled, this leads to double freeing the last page that is sent to the
      hypervisor.
      
      The following error occurs during rmmod when kernel checkers are on, and
      the balloon is not empty:
      
      [   42.307653] ------------[ cut here ]------------
      [   42.307657] Kernel BUG at ffffffffba1e4b28 [verbose debug info unavailable]
      [   42.307720] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC
      [   42.312512] Modules linked in: vmw_vsock_vmci_transport vsock ppdev joydev vmw_balloon(-) input_leds serio_raw vmw_vmci parport_pc shpchp parport i2c_piix4 nfit mac_hid autofs4 vmwgfx drm_kms_helper hid_generic syscopyarea sysfillrect usbhid sysimgblt fb_sys_fops hid ttm mptspi scsi_transport_spi ahci mptscsih drm psmouse vmxnet3 libahci mptbase pata_acpi
      [   42.312766] CPU: 10 PID: 1527 Comm: rmmod Not tainted 4.12.0+ #5
      [   42.312803] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 09/30/2016
      [   42.313042] task: ffff9bf9680f8000 task.stack: ffffbfefc1638000
      [   42.313290] RIP: 0010:__free_pages+0x38/0x40
      [   42.313510] RSP: 0018:ffffbfefc163be98 EFLAGS: 00010246
      [   42.313731] RAX: 000000000000003e RBX: ffffffffc02b9720 RCX: 0000000000000006
      [   42.313972] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9bf97e08e0a0
      [   42.314201] RBP: ffffbfefc163be98 R08: 0000000000000000 R09: 0000000000000000
      [   42.314435] R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffc02b97e4
      [   42.314505] R13: ffffffffc02b9748 R14: ffffffffc02b9728 R15: 0000000000000200
      [   42.314550] FS:  00007f3af5fec700(0000) GS:ffff9bf97e080000(0000) knlGS:0000000000000000
      [   42.314599] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   42.314635] CR2: 00007f44f6f4ab24 CR3: 00000003a7d12000 CR4: 00000000000006e0
      [   42.314864] Call Trace:
      [   42.315774]  vmballoon_pop+0x102/0x130 [vmw_balloon]
      [   42.315816]  vmballoon_exit+0x42/0xd64 [vmw_balloon]
      [   42.315853]  SyS_delete_module+0x1e2/0x250
      [   42.315891]  entry_SYSCALL_64_fastpath+0x23/0xc2
      [   42.315924] RIP: 0033:0x7f3af5b0e8e7
      [   42.315949] RSP: 002b:00007fffe6ce0148 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0
      [   42.315996] RAX: ffffffffffffffda RBX: 000055be676401e0 RCX: 00007f3af5b0e8e7
      [   42.316951] RDX: 000000000000000a RSI: 0000000000000800 RDI: 000055be67640248
      [   42.317887] RBP: 0000000000000003 R08: 0000000000000000 R09: 1999999999999999
      [   42.318845] R10: 0000000000000883 R11: 0000000000000206 R12: 00007fffe6cdf130
      [   42.319755] R13: 0000000000000000 R14: 0000000000000000 R15: 000055be676401e0
      [   42.320606] Code: c0 74 1c f0 ff 4f 1c 74 02 5d c3 85 f6 74 07 e8 0f d8 ff ff 5d c3 31 f6 e8 c6 fb ff ff 5d c3 48 c7 c6 c8 0f c5 ba e8 58 be 02 00 <0f> 0b 66 0f 1f 44 00 00 66 66 66 66 90 48 85 ff 75 01 c3 55 48
      [   42.323462] RIP: __free_pages+0x38/0x40 RSP: ffffbfefc163be98
      [   42.325735] ---[ end trace 872e008e33f81508 ]---
      
      To solve the bug, we eliminate the dual purpose of balloon.page.
      
      Fixes: f220a80f ("VMware balloon: add batching to the vmw_balloon.")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarOleksandr Natalenko <onatalen@redhat.com>
      Signed-off-by: default avatarGil Kupfer <gilkup@gmail.com>
      Signed-off-by: default avatarNadav Amit <namit@vmware.com>
      Reviewed-by: default avatarXavier Deguillard <xdeguillard@vmware.com>
      Tested-by: default avatarOleksandr Natalenko <oleksandr@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5ee296fd
    • Tony Lindgren's avatar
      serial: 8250: omap: Fix idling of clocks for unused uarts · a64ff0be
      Tony Lindgren authored
      commit 13dc04d0 upstream.
      
      I noticed that unused UARTs won't necessarily idle properly always
      unless at least one byte tx transfer is done first.
      
      After some debugging I narrowed down the problem to the scr register
      dma configuration bits that need to be set before softreset for the
      clocks to idle. Unless we do this, the module clkctrl idlest bits
      may be set to 1 instead of 3 meaning the clock will never idle and
      is blocking deeper idle states for the whole domain.
      
      This might be related to the configuration done by the bootloader
      or kexec booting where certain configurations cause the 8250 or
      the clkctrl clock to jam in a way where setting of the scr bits
      and reset is needed to clear it. I've tried diffing the 8250
      registers for the various modes, but did not see anything specific.
      So far I've only seen this on omap4 but I'm suspecting this might
      also happen on the other clkctrl using SoCs considering they
      already have a quirk enabled for UART_ERRATA_CLOCK_DISABLE.
      
      Let's fix the issue by configuring scr before reset for basic dma
      even if we don't use it. The scr register will be reset when we do
      softreset few lines after, and we restore scr on resume. We should
      do this for all the SoCs with UART_ERRATA_CLOCK_DISABLE quirk flag
      set since the ones with UART_ERRATA_CLOCK_DISABLE are all based
      using clkctrl similar to omap4.
      
      Looks like both OMAP_UART_SCR_DMAMODE_1 | OMAP_UART_SCR_DMAMODE_CTL
      bits are needed for the clkctrl to idle after a softreset.
      
      And we need to add omap4 to also use the UART_ERRATA_CLOCK_DISABLE
      for the related workaround to be enabled. This same compatible
      value will also be used for omap5.
      
      Fixes: cdb929e4 ("serial: 8250_omap: workaround errata around idling UART after using DMA")
      Cc: Keerthy <j-keerthy@ti.com>
      Cc: Matthijs van Duin <matthijsvanduin@gmail.com>
      Cc: Sekhar Nori <nsekhar@ti.com>
      Cc: Tero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarTony Lindgren <tony@atomide.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a64ff0be
    • Marek Szyprowski's avatar
      serial: samsung: fix maxburst parameter for DMA transactions · 804f0901
      Marek Szyprowski authored
      commit aa2f80e7 upstream.
      
      The best granularity of residue that DMA engine can report is in the BURST
      units, so the serial driver must use MAXBURST = 1 and DMA_SLAVE_BUSWIDTH_1_BYTE
      if it relies on exact number of bytes transferred by DMA engine.
      
      Fixes: 62c37eed ("serial: samsung: add dma reqest/release functions")
      Signed-off-by: default avatarMarek Szyprowski <m.szyprowski@samsung.com>
      Acked-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      804f0901
    • Sebastian Andrzej Siewior's avatar
      tty/serial: atmel: use port->name as name in request_irq() · db30b8eb
      Sebastian Andrzej Siewior authored
      commit 9594b5be upstream.
      
      I was puzzled while looking at /proc/interrupts and random things showed
      up between reboots. This occurred more often but I realised it later. The
      "correct" output should be:
      |38:      11861  atmel-aic5   2 Level     ttyS0
      
      but I saw sometimes
      |38:       6426  atmel-aic5   2 Level     tty1
      
      and accounted it wrongly as correct. This is use after free and the
      former example randomly got the "old" pointer which pointed to the same
      content. With SLAB_FREELIST_RANDOM and HARDENED I even got
      |38:       7067  atmel-aic5   2 Level     E=Started User Manager for UID 0
      
      or other nonsense.
      As it turns out the tty, pointer that is accessed in atmel_startup(), is
      freed() before atmel_shutdown(). It seems to happen quite often that the
      tty for ttyS0 is allocated and freed while ->shutdown is not invoked. I
      don't do anything special - just a systemd boot :)
      
      Use dev_name(&pdev->dev) as the IRQ name for request_irq(). This exists
      as long as the driver is loaded so no use-after-free here.
      
      Cc: stable@vger.kernel.org
      Fixes: 761ed4a9 ("tty: serial_core: convert uart_close to use tty_port_close")
      Acked-by: default avatarRichard Genoud <richard.genoud@gmail.com>
      Acked-by: default avatarRob Herring <robh@kernel.org>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db30b8eb
    • Geert Uytterhoeven's avatar
      serial: sh-sci: Stop using printk format %pCr · 95b8204b
      Geert Uytterhoeven authored
      commit d63c16f8 upstream.
      
      Printk format "%pCr" will be removed soon, as clk_get_rate() must not be
      called in atomic context.
      
      Replace it by open-coding the operation.  This is safe here, as the code
      runs in task context.
      
      Link: http://lkml.kernel.org/r/1527845302-12159-4-git-send-email-geert+renesas@glider.be
      To: Jia-Ju Bai <baijiaju1990@gmail.com>
      To: Jonathan Corbet <corbet@lwn.net>
      To: Michael Turquette <mturquette@baylibre.com>
      To: Stephen Boyd <sboyd@kernel.org>
      To: Zhang Rui <rui.zhang@intel.com>
      To: Eduardo Valentin <edubezval@gmail.com>
      To: Eric Anholt <eric@anholt.net>
      To: Stefan Wahren <stefan.wahren@i2se.com>
      To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Sergey Senozhatsky <sergey.senozhatsky.work@gmail.com>
      Cc: Petr Mladek <pmladek@suse.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: linux-doc@vger.kernel.org
      Cc: linux-clk@vger.kernel.org
      Cc: linux-pm@vger.kernel.org
      Cc: linux-serial@vger.kernel.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: linux-renesas-soc@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Geert Uytterhoeven <geert+renesas@glider.be>
      Cc: stable@vger.kernel.org # 4.5+
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      95b8204b
    • Yoshihiro Shimoda's avatar
      usb: gadget: udc: renesas_usb3: disable the controller's irqs for reconnecting · d6a9e699
      Yoshihiro Shimoda authored
      commit bd6bce00 upstream.
      
      This patch fixes an issue that reconnection is possible to fail
      because unexpected state handling happens by the irqs. To fix the issue,
      the driver disables the controller's irqs when disconnected.
      
      Fixes: 746bfe63 ("usb: gadget: renesas_usb3: add support for Renesas USB3.0 peripheral controller")
      Cc: <stable@vger.kernel.org> # v4.5+
      Reviewed-by: default avatarSimon Horman <horms+renesas@verge.net.au>
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6a9e699
    • Yoshihiro Shimoda's avatar
      usb: gadget: function: printer: avoid wrong list handling in printer_write() · 262af4fe
      Yoshihiro Shimoda authored
      commit 4a014a73 upstream.
      
      When printer_write() calls usb_ep_queue(), a udc driver (e.g.
      renesas_usbhs driver) may call usb_gadget_giveback_request() in
      the udc .queue ops immediately. Then, printer_write() calls
      list_add(&req->list, &dev->tx_reqs_active) wrongly. After that,
      if we do unbind the printer driver, WARN_ON() happens in
      printer_func_unbind() because the list entry is not removed.
      
      So, this patch moves list_add(&req->list, &dev->tx_reqs_active)
      calling before usb_ep_queue().
      Signed-off-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Acked-by: default avatarFelipe Balbi <felipe.balbi@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      262af4fe
    • Manu Gautam's avatar
      phy: qcom-qusb2: Fix crash if nvmem cell not specified · 874cb201
      Manu Gautam authored
      commit 0b4555e7 upstream.
      
      Driver currently crashes due to NULL pointer deference
      while updating PHY tune register if nvmem cell is NULL.
      Since, fused value for Tune1/2 register is optional,
      we'd rather bail out.
      
      Fixes: ca04d9d3 ("phy: qcom-qusb2: New driver for QUSB2 PHY on Qcom chips")
      Reviewed-by: default avatarVivek Gautam <vivek.gautam@codeaurora.org>
      Reviewed-by: default avatarEvan Green <evgreen@chromium.org>
      Cc: stable <stable@vger.kernel.org> # 4.14+
      Signed-off-by: default avatarManu Gautam <mgautam@codeaurora.org>
      Signed-off-by: default avatarKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      874cb201
    • Ethan Lee's avatar
      Input: xpad - add GPD Win 2 Controller USB IDs · cb6b5869
      Ethan Lee authored
      commit c1ba0839 upstream.
      
      GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp
      
      Tested on a unit from the first production run sent to Indiegogo backers
      Signed-off-by: default avatarEthan Lee <flibitijibibo@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cb6b5869
    • Alexander Kappner's avatar
      usb-storage: Add compatibility quirk flags for G-Technologies G-Drive · 5c2e9e9b
      Alexander Kappner authored
      commit ca7d9515 upstream.
      
      The "G-Drive" (sold by G-Technology) external USB 3.0 drive
       hangs on write access under UAS and usb-storage:
      
      [  136.079121] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [  136.079144] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current]
      [  136.079152] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb
      [  136.079176] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 00 00 00 00 00 00 00 08 00 00
      [  136.079180] print_req_error: critical target error, dev sdi, sector 0
      [  136.079183] Buffer I/O error on dev sdi, logical block 0, lost sync page write
      [  136.173148] EXT4-fs (sdi): mounted filesystem with ordered data mode. Opts: (null)
      [  140.583998] sd 15:0:0:0: [sdi] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
      [  140.584010] sd 15:0:0:0: [sdi] tag#0 Sense Key : Illegal Request [current]
      [  140.584016] sd 15:0:0:0: [sdi] tag#0 Add. Sense: Invalid field in cdb
      [  140.584022] sd 15:0:0:0: [sdi] tag#0 CDB: Write(16) 8a 08 00 00 00 00 e8 c4 00 18 00 00 00 08 00 00
      [  140.584025] print_req_error: critical target error, dev sdi, sector 3905159192
      [  140.584044] print_req_error: critical target error, dev sdi, sector 3905159192
      [  140.584052] Aborting journal on device sdi-8.
      
      The proposed patch adds compatibility quirks. Because the drive requires two
      quirks (one to work with UAS, and another to work with usb-storage), adding this
      under unusual_devs.h and not just unusual_uas.h so kernels compiled without UAS
      receive the quirk. With the patch, the drive works reliably on UAS and usb-
      storage.
      (tested on NEC Corporation uPD720200 USB 3.0 host controller).
      Signed-off-by: default avatarAlexander Kappner <agk@godking.net>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c2e9e9b
    • Alexander Kappner's avatar
      usb-storage: Add support for FL_ALWAYS_SYNC flag in the UAS driver · c839680e
      Alexander Kappner authored
      commit 8c4e97dd upstream.
      
      The ALWAYS_SYNC flag is currently honored by the usb-storage driver but not UAS
      and is required to work around devices that become unstable upon being
      queried for cache. This code is taken straight from:
      drivers/usb/storage/scsiglue.c:284
      Signed-off-by: default avatarAlexander Kappner <agk@godking.net>
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Cc: stable <stable@vger.kernel.org>
      Acked-by: default avatarOliver Neukum <oneukum@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c839680e
    • Gustavo A. R. Silva's avatar
      usbip: vhci_sysfs: fix potential Spectre v1 · f31eb729
      Gustavo A. R. Silva authored
      commit a0d6ec88 upstream.
      
      pdev_nr and rhport can be controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      drivers/usb/usbip/vhci_sysfs.c:238 detach_store() warn: potential spectre issue 'vhcis'
      drivers/usb/usbip/vhci_sysfs.c:328 attach_store() warn: potential spectre issue 'vhcis'
      drivers/usb/usbip/vhci_sysfs.c:338 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_ss->vdev'
      drivers/usb/usbip/vhci_sysfs.c:340 attach_store() warn: potential spectre issue 'vhci->vhci_hcd_hs->vdev'
      
      Fix this by sanitizing pdev_nr and rhport before using them to index
      vhcis and vhci->vhci_hcd_ss->vdev respectively.
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Acked-by: default avatarShuah Khan (Samsung OSG) <shuah@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f31eb729
    • Greg Kroah-Hartman's avatar
      NFC: pn533: don't send USB data off of the stack · 1caeb502
      Greg Kroah-Hartman authored
      commit dbafc289 upstream.
      
      It's amazing that this driver ever worked, but now that x86 doesn't
      allow USB data to be sent off of the stack, it really does not work at
      all.  Fix this up by properly allocating the data for the small
      "commands" that get sent to the device off of the stack.
      
      We do this for one command by having a whole urb just for ack messages,
      as they can be submitted in interrupt context, so we can not use
      usb_bulk_msg().  But the poweron command can sleep (and does), so use
      usb_bulk_msg() for that transfer.
      Reported-by: default avatarCarlos Manuel Santos <cmmpsantos@gmail.com>
      Cc: Samuel Ortiz <sameo@linux.intel.com>
      Cc: Stephen Hemminger <stephen@networkplumber.org>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1caeb502
    • Laura Abbott's avatar
      staging: android: ion: Switch to pr_warn_once in ion_buffer_destroy · f1769a9b
      Laura Abbott authored
      commit 45ad559a upstream.
      
      Syzbot reported yet another warning with Ion:
      
      WARNING: CPU: 0 PID: 1467 at drivers/staging/android/ion/ion.c:122
      ion_buffer_destroy+0xd4/0x190 drivers/staging/android/ion/ion.c:122
      Kernel panic - not syncing: panic_on_warn set ...
      
      This is catching that a buffer was freed with an existing kernel mapping
      still present. This can be easily be triggered from userspace by calling
      DMA_BUF_SYNC_START without calling DMA_BUF_SYNC_END. Switch to a single
      pr_warn_once to indicate the error without being disruptive.
      
      Reported-by: syzbot+cd8bcd40cb049efa2770@syzkaller.appspotmail.com
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarLaura Abbott <labbott@redhat.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f1769a9b
    • Paolo Bonzini's avatar
      KVM: x86: pass kvm_vcpu to kvm_read_guest_virt and kvm_write_guest_virt_system · bd2742e8
      Paolo Bonzini authored
      commit ce14e868 upstream.
      
      Int the next patch the emulator's .read_std and .write_std callbacks will
      grow another argument, which is not needed in kvm_read_guest_virt and
      kvm_write_guest_virt_system's callers.  Since we have to make separate
      functions, let's give the currently existing names a nicer interface, too.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bd2742e8
    • Felix Wilhelm's avatar
      kvm: nVMX: Enforce cpl=0 for VMX instructions · b1bd9caf
      Felix Wilhelm authored
      commit 727ba748 upstream.
      
      VMX instructions executed inside a L1 VM will always trigger a VM exit
      even when executed with cpl 3. This means we must perform the
      privilege check in software.
      
      Fixes: 70f3aac9("kvm: nVMX: Remove superfluous VMX instruction fault checks")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Wilhelm <fwilhelm@google.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1bd9caf
    • Paolo Bonzini's avatar
      KVM: x86: introduce linear_{read,write}_system · 3d2f0339
      Paolo Bonzini authored
      commit 79367a65 upstream.
      
      Wrap the common invocation of ctxt->ops->read_std and ctxt->ops->write_std, so
      as to have a smaller patch when the functions grow another argument.
      
      Fixes: 129a72a0 ("KVM: x86: Introduce segmented_write_std", 2017-01-12)
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3d2f0339
    • Wanpeng Li's avatar
      KVM: X86: Fix reserved bits check for MOV to CR3 · 9791d9d7
      Wanpeng Li authored
      commit a780a3ea upstream.
      
      MSB of CR3 is a reserved bit if the PCIDE bit is not set in CR4.
      It should be checked when PCIDE bit is not set, however commit
      'd1cd3ce9 ("KVM: MMU: check guest CR3 reserved bits based on
      its physical address width")' removes the bit 63 checking
      unconditionally. This patch fixes it by checking bit 63 of CR3
      when PCIDE bit is not set in CR4.
      
      Fixes: d1cd3ce9 (KVM: MMU: check guest CR3 reserved bits based on its physical address width)
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Radim Krčmář <rkrcmar@redhat.com>
      Cc: Liran Alon <liran.alon@oracle.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarJunaid Shahid <junaids@google.com>
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9791d9d7
    • Linus Walleij's avatar
      gpio: No NULL owner · c7a372dd
      Linus Walleij authored
      commit 7d18f0a1 upstream.
      
      Sometimes a GPIO is fetched with NULL as parent device, and
      that is just fine. So under these circumstances, avoid using
      dev_name() to provide a name for the GPIO line.
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Cc: Daniel Rosenberg <drosen@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c7a372dd
    • Kevin Easton's avatar
      af_key: Always verify length of provided sadb_key · 7d970250
      Kevin Easton authored
      commit 4b66af2d upstream.
      
      Key extensions (struct sadb_key) include a user-specified number of key
      bits.  The kernel uses that number to determine how much key data to copy
      out of the message in pfkey_msg2xfrm_state().
      
      The length of the sadb_key message must be verified to be long enough,
      even in the case of SADB_X_AALG_NULL.  Furthermore, the sadb_key_len value
      must be long enough to include both the key data and the struct sadb_key
      itself.
      
      Introduce a helper function verify_key_len(), and call it from
      parse_exthdrs() where other exthdr types are similarly checked for
      correctness.
      Signed-off-by: default avatarKevin Easton <kevin@guarana.org>
      Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
      Cc: Zubin Mithra <zsm@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7d970250
    • Bart Van Assche's avatar
      blkdev_report_zones_ioctl(): Use vmalloc() to allocate large buffers · 1cbd5ece
      Bart Van Assche authored
      commit 327ea4ad upstream.
      
      Avoid that complaints similar to the following appear in the kernel log
      if the number of zones is sufficiently large:
      
        fio: page allocation failure: order:9, mode:0x140c0c0(GFP_KERNEL|__GFP_COMP|__GFP_ZERO), nodemask=(null)
        Call Trace:
        dump_stack+0x63/0x88
        warn_alloc+0xf5/0x190
        __alloc_pages_slowpath+0x8f0/0xb0d
        __alloc_pages_nodemask+0x242/0x260
        alloc_pages_current+0x6a/0xb0
        kmalloc_order+0x18/0x50
        kmalloc_order_trace+0x26/0xb0
        __kmalloc+0x20e/0x220
        blkdev_report_zones_ioctl+0xa5/0x1a0
        blkdev_ioctl+0x1ba/0x930
        block_ioctl+0x41/0x50
        do_vfs_ioctl+0xaa/0x610
        SyS_ioctl+0x79/0x90
        do_syscall_64+0x79/0x1b0
        entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      Fixes: 3ed05a98 ("blk-zoned: implement ioctls")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@wdc.com>
      Cc: Shaun Tancheff <shaun.tancheff@seagate.com>
      Cc: Damien Le Moal <damien.lemoal@hgst.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Cc: Hannes Reinecke <hare@suse.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cbd5ece
    • Taehee Yoo's avatar
      netfilter: nf_tables: fix NULL pointer dereference on nft_ct_helper_obj_dump() · d02ae00a
      Taehee Yoo authored
      commit b7153458 upstream.
      
      In the nft_ct_helper_obj_dump(), always priv->helper4 is dereferenced.
      But if family is ipv6, priv->helper6 should be dereferenced.
      
      Steps to reproduces:
      
         #test.nft
         table ip6 filter {
      	   ct helper ftp {
      		   type "ftp" protocol tcp
      	   }
      	   chain input {
      		   type filter hook input priority 4;
      		   ct helper set "ftp"
      	   }
         }
      
         %nft -f test.nft
         %nft list ruleset
      
      we can see the below messages:
      
      [  916.286233] kasan: GPF could be caused by NULL-ptr deref or user memory access
      [  916.294777] general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [  916.302613] Modules linked in: nft_objref nf_conntrack_sip nf_conntrack_snmp nf_conntrack_broadcast nf_conntrack_ftp nft_ct nf_conntrack nf_tables nfnetlink [last unloaded: nfnetlink]
      [  916.318758] CPU: 1 PID: 2093 Comm: nft Not tainted 4.17.0-rc4+ #181
      [  916.326772] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
      [  916.338773] RIP: 0010:strlen+0x1a/0x90
      [  916.342781] RSP: 0018:ffff88010ff0f2f8 EFLAGS: 00010292
      [  916.346773] RAX: dffffc0000000000 RBX: ffff880119b26ee8 RCX: ffff88010c150038
      [  916.354777] RDX: 0000000000000002 RSI: ffff880119b26ee8 RDI: 0000000000000010
      [  916.362773] RBP: 0000000000000010 R08: 0000000000007e88 R09: ffff88010c15003c
      [  916.370773] R10: ffff88010c150037 R11: ffffed002182a007 R12: ffff88010ff04040
      [  916.378779] R13: 0000000000000010 R14: ffff880119b26f30 R15: ffff88010ff04110
      [  916.387265] FS:  00007f57a1997700(0000) GS:ffff88011b800000(0000) knlGS:0000000000000000
      [  916.394785] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  916.402778] CR2: 00007f57a0ac80f0 CR3: 000000010ff02000 CR4: 00000000001006e0
      [  916.410772] Call Trace:
      [  916.414787]  nft_ct_helper_obj_dump+0x94/0x200 [nft_ct]
      [  916.418779]  ? nft_ct_set_eval+0x560/0x560 [nft_ct]
      [  916.426771]  ? memset+0x1f/0x40
      [  916.426771]  ? __nla_reserve+0x92/0xb0
      [  916.434774]  ? memcpy+0x34/0x50
      [  916.434774]  nf_tables_fill_obj_info+0x484/0x860 [nf_tables]
      [  916.442773]  ? __nft_release_basechain+0x600/0x600 [nf_tables]
      [  916.450779]  ? lock_acquire+0x193/0x380
      [  916.454771]  ? lock_acquire+0x193/0x380
      [  916.458789]  ? nf_tables_dump_obj+0x148/0xcb0 [nf_tables]
      [  916.462777]  nf_tables_dump_obj+0x5f0/0xcb0 [nf_tables]
      [  916.470769]  ? __alloc_skb+0x30b/0x500
      [  916.474779]  netlink_dump+0x752/0xb50
      [  916.478775]  __netlink_dump_start+0x4d3/0x750
      [  916.482784]  nf_tables_getobj+0x27a/0x930 [nf_tables]
      [  916.490774]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  916.494772]  ? nf_tables_getobj+0x930/0x930 [nf_tables]
      [  916.502579]  ? nf_tables_dump_flowtable_done+0x70/0x70 [nf_tables]
      [  916.506774]  ? nft_obj_notify+0x100/0x100 [nf_tables]
      [  916.514808]  nfnetlink_rcv_msg+0x8ab/0xa86 [nfnetlink]
      [  916.518771]  ? nfnetlink_rcv_msg+0x550/0xa86 [nfnetlink]
      [  916.526782]  netlink_rcv_skb+0x23e/0x360
      [  916.530773]  ? nfnetlink_bind+0x200/0x200 [nfnetlink]
      [  916.534778]  ? debug_check_no_locks_freed+0x280/0x280
      [  916.542770]  ? netlink_ack+0x870/0x870
      [  916.546786]  ? ns_capable_common+0xf4/0x130
      [  916.550765]  nfnetlink_rcv+0x172/0x16c0 [nfnetlink]
      [  916.554771]  ? sched_clock_local+0xe2/0x150
      [  916.558774]  ? sched_clock_cpu+0x144/0x180
      [  916.566575]  ? lock_acquire+0x380/0x380
      [  916.570775]  ? sched_clock_local+0xe2/0x150
      [  916.574765]  ? nfnetlink_net_init+0x130/0x130 [nfnetlink]
      [  916.578763]  ? sched_clock_cpu+0x144/0x180
      [  916.582770]  ? lock_acquire+0x193/0x380
      [  916.590771]  ? lock_acquire+0x193/0x380
      [  916.594766]  ? lock_acquire+0x380/0x380
      [  916.598760]  ? netlink_deliver_tap+0x262/0xa60
      [  916.602766]  ? lock_acquire+0x193/0x380
      [  916.606766]  netlink_unicast+0x3ef/0x5a0
      [  916.610771]  ? netlink_attachskb+0x630/0x630
      [  916.614763]  netlink_sendmsg+0x72a/0xb00
      [  916.618769]  ? netlink_unicast+0x5a0/0x5a0
      [  916.626766]  ? _copy_from_user+0x92/0xc0
      [  916.630773]  __sys_sendto+0x202/0x300
      [  916.634772]  ? __ia32_sys_getpeername+0xb0/0xb0
      [  916.638759]  ? lock_acquire+0x380/0x380
      [  916.642769]  ? lock_acquire+0x193/0x380
      [  916.646761]  ? finish_task_switch+0xf4/0x560
      [  916.650763]  ? __schedule+0x582/0x19a0
      [  916.655301]  ? __sched_text_start+0x8/0x8
      [  916.655301]  ? up_read+0x1c/0x110
      [  916.655301]  ? __do_page_fault+0x48b/0xaa0
      [  916.655301]  ? entry_SYSCALL_64_after_hwframe+0x59/0xbe
      [  916.655301]  __x64_sys_sendto+0xdd/0x1b0
      [  916.655301]  do_syscall_64+0x96/0x3d0
      [  916.655301]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  916.655301] RIP: 0033:0x7f57a0ff5e03
      [  916.655301] RSP: 002b:00007fff6367e0a8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [  916.655301] RAX: ffffffffffffffda RBX: 00007fff6367f1e0 RCX: 00007f57a0ff5e03
      [  916.655301] RDX: 0000000000000020 RSI: 00007fff6367e110 RDI: 0000000000000003
      [  916.655301] RBP: 00007fff6367e100 R08: 00007f57a0ce9160 R09: 000000000000000c
      [  916.655301] R10: 0000000000000000 R11: 0000000000000246 R12: 00007fff6367e110
      [  916.655301] R13: 0000000000000020 R14: 00007f57a153c610 R15: 0000562417258de0
      [  916.655301] Code: ff ff ff 0f 1f 40 00 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 fa 53 48 c1 ea 03 48 b8 00 00 00 00 00 fc ff df 48 89 fd 48 83 ec 08 <0f> b6 04 02 48 89 fa 83 e2 07 38 d0 7f
      [  916.655301] RIP: strlen+0x1a/0x90 RSP: ffff88010ff0f2f8
      [  916.771929] ---[ end trace 1065e048e72479fe ]---
      [  916.777204] Kernel panic - not syncing: Fatal exception
      [  916.778158] Kernel Offset: 0x14000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d02ae00a
  2. 11 Jun, 2018 16 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.49 · 70d7bbd9
      Greg Kroah-Hartman authored
      70d7bbd9
    • Dave Airlie's avatar
      drm: set FMODE_UNSIGNED_OFFSET for drm files · 2abd4c3e
      Dave Airlie authored
      commit 76ef6b28 upstream.
      
      Since we have the ttm and gem vma managers using a subset
      of the file address space for objects, and these start at
      0x100000000 they will overflow the new mmap checks.
      
      I've checked all the mmap routines I could see for any
      bad behaviour but overall most people use GEM/TTM VMA
      managers even the legacy drivers have a hashtable.
      
      Reported-and-Tested-by: Arthur Marsh (amarsh04 on #radeon)
      Fixes: be83bbf8 (mmap: introduce sane default mmap limits)
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2abd4c3e
    • Dexuan Cui's avatar
      PCI: hv: Do not wait forever on a device that has disappeared · 3fe4b0cf
      Dexuan Cui authored
      commit c3635da2 upstream.
      
      Before the guest finishes the device initialization, the device can be
      removed anytime by the host, and after that the host won't respond to
      the guest's request, so the guest should be prepared to handle this
      case.
      
      Add a polling mechanism to detect device presence.
      Signed-off-by: default avatarDexuan Cui <decui@microsoft.com>
      [lorenzo.pieralisi@arm.com: edited commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Reviewed-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Cc: Stephen Hemminger <sthemmin@microsoft.com>
      Cc: K. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3fe4b0cf
    • Paul Blakey's avatar
      cls_flower: Fix incorrect idr release when failing to modify rule · dd4be396
      Paul Blakey authored
      [ Upstream commit 8258d2da ]
      
      When we fail to modify a rule, we incorrectly release the idr handle
      of the unmodified old rule.
      
      Fix that by checking if we need to release it.
      
      Fixes: fe2502e4 ("net_sched: remove cls_flower idr on failure")
      Reported-by: default avatarVlad Buslov <vladbu@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Acked-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarPaul Blakey <paulb@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd4be396
    • Eric Dumazet's avatar
      rtnetlink: validate attributes in do_setlink() · c931c9ae
      Eric Dumazet authored
      [ Upstream commit 644c7eeb ]
      
      It seems that rtnl_group_changelink() can call do_setlink
      while a prior call to validate_linkmsg(dev = NULL, ...) could
      not validate IFLA_ADDRESS / IFLA_BROADCAST
      
      Make sure do_setlink() calls validate_linkmsg() instead
      of letting its callers having this responsibility.
      
      With help from Dmitry Vyukov, thanks a lot !
      
      BUG: KMSAN: uninit-value in is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
      BUG: KMSAN: uninit-value in eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
      BUG: KMSAN: uninit-value in eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
      CPU: 1 PID: 8695 Comm: syz-executor3 Not tainted 4.17.0-rc5+ #103
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x149/0x260 mm/kmsan/kmsan.c:1084
       __msan_warning_32+0x6e/0xc0 mm/kmsan/kmsan_instr.c:686
       is_valid_ether_addr include/linux/etherdevice.h:199 [inline]
       eth_prepare_mac_addr_change net/ethernet/eth.c:275 [inline]
       eth_mac_addr+0x203/0x2b0 net/ethernet/eth.c:308
       dev_set_mac_address+0x261/0x530 net/core/dev.c:7157
       do_setlink+0xbc3/0x5fc0 net/core/rtnetlink.c:2317
       rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
       rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
       rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      RIP: 0033:0x455a09
      RSP: 002b:00007fc07480ec68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00007fc07480f6d4 RCX: 0000000000455a09
      RDX: 0000000000000000 RSI: 00000000200003c0 RDI: 0000000000000014
      RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
      R13: 00000000000005d0 R14: 00000000006fdc20 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:294 [inline]
       kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:685
       kmsan_memcpy_origins+0x11d/0x170 mm/kmsan/kmsan.c:527
       __msan_memcpy+0x109/0x160 mm/kmsan/kmsan_instr.c:478
       do_setlink+0xb84/0x5fc0 net/core/rtnetlink.c:2315
       rtnl_group_changelink net/core/rtnetlink.c:2824 [inline]
       rtnl_newlink+0x1fe9/0x37a0 net/core/rtnetlink.c:2976
       rtnetlink_rcv_msg+0xa32/0x1560 net/core/rtnetlink.c:4646
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2448
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4664
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1678/0x1750 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x104f/0x1350 net/netlink/af_netlink.c:1901
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan.c:322
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2753 [inline]
       __kmalloc_node_track_caller+0xb32/0x11b0 mm/slub.c:4395
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cb/0x9e0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:988 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
       netlink_sendmsg+0x76e/0x1350 net/netlink/af_netlink.c:1876
       sock_sendmsg_nosec net/socket.c:629 [inline]
       sock_sendmsg net/socket.c:639 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
       __sys_sendmsg net/socket.c:2155 [inline]
       __do_sys_sendmsg net/socket.c:2164 [inline]
       __se_sys_sendmsg net/socket.c:2162 [inline]
       __x64_sys_sendmsg+0x331/0x460 net/socket.c:2162
       do_syscall_64+0x152/0x230 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: e7ed828f ("netlink: support setting devgroup parameters")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Cc: Dmitry Vyukov <dvyukov@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c931c9ae
    • Jason Wang's avatar
      virtio-net: fix leaking page for gso packet during mergeable XDP · fa11d992
      Jason Wang authored
      [ Upstream commit 3d62b2a0 ]
      
      We need to drop refcnt to xdp_page if we see a gso packet. Otherwise
      it will be leaked. Fixing this by moving the check of gso packet above
      the linearizing logic. While at it, remove useless comment as well.
      
      Cc: John Fastabend <john.fastabend@gmail.com>
      Fixes: 72979a6c ("virtio_net: xdp, add slowpath case for non contiguous buffers")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa11d992
    • Eran Ben Elisha's avatar
      net/mlx5e: When RXFCS is set, add FCS data into checksum calculation · 2b8b2b26
      Eran Ben Elisha authored
      [ Upstream commit 902a5459 ]
      
      When RXFCS feature is enabled, the HW do not strip the FCS data,
      however it is not present in the checksum calculated by the HW.
      
      Fix that by manually calculating the FCS checksum and adding it to the SKB
      checksum field.
      
      Add helper function to find the FCS data for all SKB forms (linear,
      one fragment or more).
      
      Fixes: 102722fc ("net/mlx5e: Add support for RXFCS feature flag")
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b8b2b26
    • Jason Wang's avatar
      virtio-net: correctly check num_buf during err path · 155cd575
      Jason Wang authored
      [ Upstream commit 850e088d ]
      
      If we successfully linearize the packet, num_buf will be set to zero
      which may confuse error handling path which assumes num_buf is at
      least 1 and this can lead the code tries to pop the descriptor of next
      buffer. Fixing this by checking num_buf against 1 before decreasing.
      
      Fixes: 4941d472 ("virtio-net: do not reset during XDP set")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      155cd575
    • Toshiaki Makita's avatar
      tun: Fix NULL pointer dereference in XDP redirect · e2d47fa1
      Toshiaki Makita authored
      [ Upstream commit 6547e387 ]
      
      Calling XDP redirection requires bh disabled. Softirq can call another
      XDP function and redirection functions, then the percpu static variable
      ri->map can be overwritten to NULL.
      
      This is a generic XDP case called from tun.
      
      [ 3535.736058] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      [ 3535.743974] PGD 0 P4D 0
      [ 3535.746530] Oops: 0000 [#1] SMP PTI
      [ 3535.750049] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel crypto_simd cryptd enclosure hpwdt hpilo glue_helper ipmi_si pcspkr wmi mei_me ioatdma mei ipmi_devintf shpchp dca ipmi_msghandler lpc_ich acpi_power_meter sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm smartpqi i40e crc32c_intel scsi_transport_sas tg3 i2c_core ptp pps_core
      [ 3535.813456] CPU: 5 PID: 1630 Comm: vhost-1614 Not tainted 4.17.0-rc4 #2
      [ 3535.820127] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017
      [ 3535.828732] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30
      [ 3535.833740] RSP: 0018:ffffb4bc47bf7c58 EFLAGS: 00010246
      [ 3535.839009] RAX: ffff9fdfcfea1c40 RBX: 0000000000000000 RCX: ffff9fdf27fe3100
      [ 3535.846205] RDX: ffff9fdfca769200 RSI: 0000000000000000 RDI: 0000000000000000
      [ 3535.853402] RBP: ffffb4bc491d9000 R08: 00000000000045ad R09: 0000000000000ec0
      [ 3535.860597] R10: 0000000000000001 R11: ffff9fdf26c3ce4e R12: ffff9fdf9e72c000
      [ 3535.867794] R13: 0000000000000000 R14: fffffffffffffff2 R15: ffff9fdfc82cdd00
      [ 3535.874990] FS:  0000000000000000(0000) GS:ffff9fdfcfe80000(0000) knlGS:0000000000000000
      [ 3535.883152] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 3535.888948] CR2: 0000000000000018 CR3: 0000000bde724004 CR4: 00000000007626e0
      [ 3535.896145] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 3535.903342] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 3535.910538] PKRU: 55555554
      [ 3535.913267] Call Trace:
      [ 3535.915736]  xdp_do_generic_redirect+0x7a/0x310
      [ 3535.920310]  do_xdp_generic.part.117+0x285/0x370
      [ 3535.924970]  tun_get_user+0x5b9/0x1260 [tun]
      [ 3535.929279]  tun_sendmsg+0x52/0x70 [tun]
      [ 3535.933237]  handle_tx+0x2ad/0x5f0 [vhost_net]
      [ 3535.937721]  vhost_worker+0xa5/0x100 [vhost]
      [ 3535.942030]  kthread+0xf5/0x130
      [ 3535.945198]  ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost]
      [ 3535.950031]  ? kthread_bind+0x10/0x10
      [ 3535.953727]  ret_from_fork+0x35/0x40
      [ 3535.957334] Code: 0e 74 15 83 f8 10 75 05 e9 49 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 29 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 49 a9 b3 ff 31 c0 c3
      [ 3535.976387] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: ffffb4bc47bf7c58
      [ 3535.982883] CR2: 0000000000000018
      [ 3535.987096] ---[ end trace 383b299dd1430240 ]---
      [ 3536.131325] Kernel panic - not syncing: Fatal exception
      [ 3536.137484] Kernel Offset: 0x26a00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [ 3536.281406] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      And a kernel with generic case fixed still panics in tun driver XDP
      redirect, because it disabled only preemption, but not bh.
      
      [ 2055.128746] BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
      [ 2055.136662] PGD 0 P4D 0
      [ 2055.139219] Oops: 0000 [#1] SMP PTI
      [ 2055.142736] Modules linked in: vhost_net vhost tap tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter sunrpc vfat fat ext4 mbcache jbd2 intel_rapl skx_edac nfit libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc ses aesni_intel ipmi_ssif crypto_simd enclosure cryptd hpwdt glue_helper ioatdma hpilo wmi dca pcspkr ipmi_si acpi_power_meter ipmi_devintf shpchp mei_me ipmi_msghandler mei lpc_ich sch_fq_codel ip_tables xfs libcrc32c sd_mod mgag200 i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm i40e smartpqi tg3 scsi_transport_sas crc32c_intel i2c_core ptp pps_core
      [ 2055.206142] CPU: 6 PID: 1693 Comm: vhost-1683 Tainted: G        W         4.17.0-rc5-fix-tun+ #1
      [ 2055.215011] Hardware name: HPE ProLiant DL360 Gen10/ProLiant DL360 Gen10, BIOS U32 11/14/2017
      [ 2055.223617] RIP: 0010:__xdp_map_lookup_elem+0x5/0x30
      [ 2055.228624] RSP: 0018:ffff998b07607cc0 EFLAGS: 00010246
      [ 2055.233892] RAX: ffff8dbd8e235700 RBX: ffff8dbd8ff21c40 RCX: 0000000000000004
      [ 2055.241089] RDX: ffff998b097a9000 RSI: 0000000000000000 RDI: 0000000000000000
      [ 2055.248286] RBP: 0000000000000000 R08: 00000000000065a8 R09: 0000000000005d80
      [ 2055.255483] R10: 0000000000000040 R11: ffff8dbcf0100000 R12: ffff998b097a9000
      [ 2055.262681] R13: ffff8dbd8c98c000 R14: 0000000000000000 R15: ffff998b07607d78
      [ 2055.269879] FS:  0000000000000000(0000) GS:ffff8dbd8ff00000(0000) knlGS:0000000000000000
      [ 2055.278039] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2055.283834] CR2: 0000000000000018 CR3: 0000000c0c8cc005 CR4: 00000000007626e0
      [ 2055.291030] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 2055.298227] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 2055.305424] PKRU: 55555554
      [ 2055.308153] Call Trace:
      [ 2055.310624]  xdp_do_redirect+0x7b/0x380
      [ 2055.314499]  tun_get_user+0x10fe/0x12a0 [tun]
      [ 2055.318895]  tun_sendmsg+0x52/0x70 [tun]
      [ 2055.322852]  handle_tx+0x2ad/0x5f0 [vhost_net]
      [ 2055.327337]  vhost_worker+0xa5/0x100 [vhost]
      [ 2055.331646]  kthread+0xf5/0x130
      [ 2055.334813]  ? vhost_dev_ioctl+0x3b0/0x3b0 [vhost]
      [ 2055.339646]  ? kthread_bind+0x10/0x10
      [ 2055.343343]  ret_from_fork+0x35/0x40
      [ 2055.346950] Code: 0e 74 15 83 f8 10 75 05 e9 e9 aa b3 ff f3 c3 0f 1f 80 00 00 00 00 f3 c3 e9 c9 9d b3 ff 66 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 <8b> 47 18 83 f8 0e 74 0d 83 f8 10 75 05 e9 e9 a9 b3 ff 31 c0 c3
      [ 2055.366004] RIP: __xdp_map_lookup_elem+0x5/0x30 RSP: ffff998b07607cc0
      [ 2055.372500] CR2: 0000000000000018
      [ 2055.375856] ---[ end trace 2a2dcc5e9e174268 ]---
      [ 2055.523626] Kernel panic - not syncing: Fatal exception
      [ 2055.529796] Kernel Offset: 0x2e000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [ 2055.677539] ---[ end Kernel panic - not syncing: Fatal exception ]---
      
      v2:
       - Removed preempt_disable/enable since local_bh_disable will prevent
         preemption as well, feedback from Jason Wang.
      
      Fixes: 761876c8 ("tap: XDP support")
      Signed-off-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2d47fa1
    • Jack Morgenstein's avatar
      net/mlx4: Fix irq-unsafe spinlock usage · 43153f09
      Jack Morgenstein authored
      [ Upstream commit d546b67c ]
      
      spin_lock/unlock was used instead of spin_un/lock_irq
      in a procedure used in process space, on a spinlock
      which can be grabbed in an interrupt.
      
      This caused the stack trace below to be displayed (on kernel
      4.17.0-rc1 compiled with Lock Debugging enabled):
      
      [  154.661474] WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected
      [  154.668909] 4.17.0-rc1-rdma_rc_mlx+ #3 Tainted: G          I
      [  154.675856] -----------------------------------------------------
      [  154.682706] modprobe/10159 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire:
      [  154.690254] 00000000f3b0e495 (&(&qp_table->lock)->rlock){+.+.}, at: mlx4_qp_remove+0x20/0x50 [mlx4_core]
      [  154.700927]
      and this task is already holding:
      [  154.707461] 0000000094373b5d (&(&cq->lock)->rlock/1){....}, at: destroy_qp_common+0x111/0x560 [mlx4_ib]
      [  154.718028] which would create a new lock dependency:
      [  154.723705]  (&(&cq->lock)->rlock/1){....} -> (&(&qp_table->lock)->rlock){+.+.}
      [  154.731922]
      but this new dependency connects a SOFTIRQ-irq-safe lock:
      [  154.740798]  (&(&cq->lock)->rlock){..-.}
      [  154.740800]
      ... which became SOFTIRQ-irq-safe at:
      [  154.752163]   _raw_spin_lock_irqsave+0x3e/0x50
      [  154.757163]   mlx4_ib_poll_cq+0x36/0x900 [mlx4_ib]
      [  154.762554]   ipoib_tx_poll+0x4a/0xf0 [ib_ipoib]
      ...
      to a SOFTIRQ-irq-unsafe lock:
      [  154.815603]  (&(&qp_table->lock)->rlock){+.+.}
      [  154.815604]
      ... which became SOFTIRQ-irq-unsafe at:
      [  154.827718] ...
      [  154.827720]   _raw_spin_lock+0x35/0x50
      [  154.833912]   mlx4_qp_lookup+0x1e/0x50 [mlx4_core]
      [  154.839302]   mlx4_flow_attach+0x3f/0x3d0 [mlx4_core]
      
      Since mlx4_qp_lookup() is called only in process space, we can
      simply replace the spin_un/lock calls with spin_un/lock_irq calls.
      
      Fixes: 6dc06c08 ("net/mlx4: Fix the check in attaching steering rules")
      Signed-off-by: default avatarJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      43153f09
    • Jason Wang's avatar
      virtio-net: correctly transmit XDP buff after linearizing · 31c1e078
      Jason Wang authored
      [ Upstream commit 5d458a13 ]
      
      We should not go for the error path after successfully transmitting a
      XDP buffer after linearizing. Since the error path may try to pop and
      drop next packet and increase the drop counters. Fixing this by simply
      drop the refcnt of original page and go for xmit path.
      
      Fixes: 72979a6c ("virtio_net: xdp, add slowpath case for non contiguous buffers")
      Cc: John Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      31c1e078
    • Alexander Duyck's avatar
      net-sysfs: Fix memory leak in XPS configuration · 0dbd822f
      Alexander Duyck authored
      [ Upstream commit 664088f8 ]
      
      This patch reorders the error cases in showing the XPS configuration so
      that we hold off on memory allocation until after we have verified that we
      can support XPS on a given ring.
      
      Fixes: 184c449f ("net: Add support for XPS with QoS via traffic classes")
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0dbd822f
    • Florian Fainelli's avatar
      net: phy: broadcom: Fix auxiliary control register reads · 90067998
      Florian Fainelli authored
      [ Upstream commit 733a969a ]
      
      We are currently doing auxiliary control register reads with the shadow
      register value 0b111 (0x7) which incidentally is also the selector value
      that should be present in bits [2:0]. Fix this by using the appropriate
      selector mask which is defined (MII_BCM54XX_AUXCTL_SHDWSEL_MASK).
      
      This does not have a functional impact yet because we always access the
      MII_BCM54XX_AUXCTL_SHDWSEL_MISC (0x7) register in the current code.
      This might change at some point though.
      
      Fixes: 5b4e2900 ("net: phy: broadcom: add bcm54xx_auxctl_read")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      90067998
    • Mathieu Xhonneux's avatar
      ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline · 8d80a839
      Mathieu Xhonneux authored
      [ Upstream commit bbb40a0b ]
      
      seg6_do_srh_encap and seg6_do_srh_inline can possibly do an
      out-of-bounds access when adding the SRH to the packet. This no longer
      happen when expanding the skb not only by the size of the SRH (+
      outer IPv6 header), but also by skb->mac_len.
      
      [   53.793056] BUG: KASAN: use-after-free in seg6_do_srh_encap+0x284/0x620
      [   53.794564] Write of size 14 at addr ffff88011975ecfa by task ping/674
      
      [   53.796665] CPU: 0 PID: 674 Comm: ping Not tainted 4.17.0-rc3-ARCH+ #90
      [   53.796670] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
      BIOS 1.11.0-20171110_100015-anatol 04/01/2014
      [   53.796673] Call Trace:
      [   53.796679]  <IRQ>
      [   53.796689]  dump_stack+0x71/0xab
      [   53.796700]  print_address_description+0x6a/0x270
      [   53.796707]  kasan_report+0x258/0x380
      [   53.796715]  ? seg6_do_srh_encap+0x284/0x620
      [   53.796722]  memmove+0x34/0x50
      [   53.796730]  seg6_do_srh_encap+0x284/0x620
      [   53.796741]  ? seg6_do_srh+0x29b/0x360
      [   53.796747]  seg6_do_srh+0x29b/0x360
      [   53.796756]  seg6_input+0x2e/0x2e0
      [   53.796765]  lwtunnel_input+0x93/0xd0
      [   53.796774]  ipv6_rcv+0x690/0x920
      [   53.796783]  ? ip6_input+0x170/0x170
      [   53.796791]  ? eth_gro_receive+0x2d0/0x2d0
      [   53.796800]  ? ip6_input+0x170/0x170
      [   53.796809]  __netif_receive_skb_core+0xcc0/0x13f0
      [   53.796820]  ? netdev_info+0x110/0x110
      [   53.796827]  ? napi_complete_done+0xb6/0x170
      [   53.796834]  ? e1000_clean+0x6da/0xf70
      [   53.796845]  ? process_backlog+0x129/0x2a0
      [   53.796853]  process_backlog+0x129/0x2a0
      [   53.796862]  net_rx_action+0x211/0x5c0
      [   53.796870]  ? napi_complete_done+0x170/0x170
      [   53.796887]  ? run_rebalance_domains+0x11f/0x150
      [   53.796891]  __do_softirq+0x10e/0x39e
      [   53.796894]  do_softirq_own_stack+0x2a/0x40
      [   53.796895]  </IRQ>
      [   53.796898]  do_softirq.part.16+0x54/0x60
      [   53.796900]  __local_bh_enable_ip+0x5b/0x60
      [   53.796903]  ip6_finish_output2+0x416/0x9f0
      [   53.796906]  ? ip6_dst_lookup_flow+0x110/0x110
      [   53.796909]  ? ip6_sk_dst_lookup_flow+0x390/0x390
      [   53.796911]  ? __rcu_read_unlock+0x66/0x80
      [   53.796913]  ? ip6_mtu+0x44/0xf0
      [   53.796916]  ? ip6_output+0xfc/0x220
      [   53.796918]  ip6_output+0xfc/0x220
      [   53.796921]  ? ip6_finish_output+0x2b0/0x2b0
      [   53.796923]  ? memcpy+0x34/0x50
      [   53.796926]  ip6_send_skb+0x43/0xc0
      [   53.796929]  rawv6_sendmsg+0x1216/0x1530
      [   53.796932]  ? __orc_find+0x6b/0xc0
      [   53.796934]  ? rawv6_rcv_skb+0x160/0x160
      [   53.796937]  ? __rcu_read_unlock+0x66/0x80
      [   53.796939]  ? __rcu_read_unlock+0x66/0x80
      [   53.796942]  ? is_bpf_text_address+0x1e/0x30
      [   53.796944]  ? kernel_text_address+0xec/0x100
      [   53.796946]  ? __kernel_text_address+0xe/0x30
      [   53.796948]  ? unwind_get_return_address+0x2f/0x50
      [   53.796950]  ? __save_stack_trace+0x92/0x100
      [   53.796954]  ? save_stack+0x89/0xb0
      [   53.796956]  ? kasan_kmalloc+0xa0/0xd0
      [   53.796958]  ? kmem_cache_alloc+0xd2/0x1f0
      [   53.796961]  ? prepare_creds+0x23/0x160
      [   53.796963]  ? __x64_sys_capset+0x252/0x3e0
      [   53.796966]  ? do_syscall_64+0x69/0x160
      [   53.796968]  ? entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.796971]  ? __alloc_pages_nodemask+0x170/0x380
      [   53.796973]  ? __alloc_pages_slowpath+0x12c0/0x12c0
      [   53.796977]  ? tty_vhangup+0x20/0x20
      [   53.796979]  ? policy_nodemask+0x1a/0x90
      [   53.796982]  ? __mod_node_page_state+0x8d/0xa0
      [   53.796986]  ? __check_object_size+0xe7/0x240
      [   53.796989]  ? __sys_sendto+0x229/0x290
      [   53.796991]  ? rawv6_rcv_skb+0x160/0x160
      [   53.796993]  __sys_sendto+0x229/0x290
      [   53.796996]  ? __ia32_sys_getpeername+0x50/0x50
      [   53.796999]  ? commit_creds+0x2de/0x520
      [   53.797002]  ? security_capset+0x57/0x70
      [   53.797004]  ? __x64_sys_capset+0x29f/0x3e0
      [   53.797007]  ? __x64_sys_rt_sigsuspend+0xe0/0xe0
      [   53.797011]  ? __do_page_fault+0x664/0x770
      [   53.797014]  __x64_sys_sendto+0x74/0x90
      [   53.797017]  do_syscall_64+0x69/0x160
      [   53.797019]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   53.797022] RIP: 0033:0x7f43b7a6714a
      [   53.797023] RSP: 002b:00007ffd891bd368 EFLAGS: 00000246 ORIG_RAX:
      000000000000002c
      [   53.797026] RAX: ffffffffffffffda RBX: 00000000006129c0 RCX: 00007f43b7a6714a
      [   53.797028] RDX: 0000000000000040 RSI: 00000000006129c0 RDI: 0000000000000004
      [   53.797029] RBP: 00007ffd891be640 R08: 0000000000610940 R09: 000000000000001c
      [   53.797030] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
      [   53.797032] R13: 000000000060e6a0 R14: 0000000000008004 R15: 000000000040b661
      
      [   53.797171] Allocated by task 642:
      [   53.797460]  kasan_kmalloc+0xa0/0xd0
      [   53.797463]  kmem_cache_alloc+0xd2/0x1f0
      [   53.797465]  getname_flags+0x40/0x210
      [   53.797467]  user_path_at_empty+0x1d/0x40
      [   53.797469]  do_faccessat+0x12a/0x320
      [   53.797471]  do_syscall_64+0x69/0x160
      [   53.797473]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [   53.797607] Freed by task 642:
      [   53.797869]  __kasan_slab_free+0x130/0x180
      [   53.797871]  kmem_cache_free+0xa8/0x230
      [   53.797872]  filename_lookup+0x15b/0x230
      [   53.797874]  do_faccessat+0x12a/0x320
      [   53.797876]  do_syscall_64+0x69/0x160
      [   53.797878]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [   53.798014] The buggy address belongs to the object at ffff88011975e600
                      which belongs to the cache names_cache of size 4096
      [   53.799043] The buggy address is located 1786 bytes inside of
                      4096-byte region [ffff88011975e600, ffff88011975f600)
      [   53.800013] The buggy address belongs to the page:
      [   53.800414] page:ffffea000465d600 count:1 mapcount:0
      mapping:0000000000000000 index:0x0 compound_mapcount: 0
      [   53.801259] flags: 0x17fff0000008100(slab|head)
      [   53.801640] raw: 017fff0000008100 0000000000000000 0000000000000000
      0000000100070007
      [   53.803147] raw: dead000000000100 dead000000000200 ffff88011b185a40
      0000000000000000
      [   53.803787] page dumped because: kasan: bad access detected
      
      [   53.804384] Memory state around the buggy address:
      [   53.804788]  ffff88011975eb80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.805384]  ffff88011975ec00: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.805979] >ffff88011975ec80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.806577]                                                                 ^
      [   53.807165]  ffff88011975ed00: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.807762]  ffff88011975ed80: fb fb fb fb fb fb fb fb fb fb fb fb
      fb fb fb fb
      [   53.808356] ==================================================================
      [   53.808949] Disabling lock debugging due to kernel taint
      
      Fixes: 6c8702c6 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
      Signed-off-by: default avatarDavid Lebrun <dlebrun@google.com>
      Signed-off-by: default avatarMathieu Xhonneux <m.xhonneux@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d80a839
    • Stephen Suryaputra's avatar
      vrf: check the original netdevice for generating redirect · c5e1541e
      Stephen Suryaputra authored
      [ Upstream commit 2f17becf ]
      
      Use the right device to determine if redirect should be sent especially
      when using vrf. Same as well as when sending the redirect.
      Signed-off-by: default avatarStephen Suryaputra <ssuryaextr@gmail.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5e1541e
    • Jason Wang's avatar
      vhost: synchronize IOTLB message with dev cleanup · 6d431f6e
      Jason Wang authored
      [ Upstream commit 1b15ad68 ]
      
      DaeRyong Jeong reports a race between vhost_dev_cleanup() and
      vhost_process_iotlb_msg():
      
      Thread interleaving:
      CPU0 (vhost_process_iotlb_msg)			CPU1 (vhost_dev_cleanup)
      (In the case of both VHOST_IOTLB_UPDATE and
      VHOST_IOTLB_INVALIDATE)
      
      =====						=====
      						vhost_umem_clean(dev->iotlb);
      if (!dev->iotlb) {
      	        ret = -EFAULT;
      		        break;
      }
      						dev->iotlb = NULL;
      
      The reason is we don't synchronize between them, fixing by protecting
      vhost_process_iotlb_msg() with dev mutex.
      Reported-by: default avatarDaeRyong Jeong <threeearcat@gmail.com>
      Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6d431f6e