1. 29 Jan, 2020 40 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.14.169 · 9fa690a2
      Greg Kroah-Hartman authored
      9fa690a2
    • Martin Schiller's avatar
      net/x25: fix nonblocking connect · 94868d28
      Martin Schiller authored
      commit e21dba7a
      
       upstream.
      
      This patch fixes 2 issues in x25_connect():
      
      1. It makes absolutely no sense to reset the neighbour and the
      connection state after a (successful) nonblocking call of x25_connect.
      This prevents any connection from being established, since the response
      (call accept) cannot be processed.
      
      2. Any further calls to x25_connect() while a call is pending should
      simply return, instead of creating new Call Request (on different
      logical channels).
      
      This patch should also fix the "KASAN: null-ptr-deref Write in
      x25_connect" and "BUG: unable to handle kernel NULL pointer dereference
      in x25_connect" bugs reported by syzbot.
      Signed-off-by: default avatarMartin Schiller <ms@dev.tdt.de>
      Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com
      Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      94868d28
    • Kadlecsik József's avatar
      netfilter: ipset: use bitmap infrastructure completely · f3439dd7
      Kadlecsik József authored
      commit 32c72165
      
       upstream.
      
      The bitmap allocation did not use full unsigned long sizes
      when calculating the required size and that was triggered by KASAN
      as slab-out-of-bounds read in several places. The patch fixes all
      of them.
      
      Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com
      Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com
      Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com
      Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com
      Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com
      Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com
      Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@netfilter.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f3439dd7
    • Andy Shevchenko's avatar
      bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() · 8f715caa
      Andy Shevchenko authored
      commit c42b65e3
      
       upstream.
      
      A lot of code become ugly because of open coding allocations for bitmaps.
      
      Introduce three helpers to allow users be more clear of intention
      and keep their code neat.
      
      Note, due to multiple circular dependencies we may not provide
      the helpers as inliners. For now we keep them exported and, perhaps,
      at some point in the future we will sort out header inclusion and
      inheritance.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f715caa
    • Andy Shevchenko's avatar
      md: Avoid namespace collision with bitmap API · e9a80d43
      Andy Shevchenko authored
      commit e64e4018
      
       upstream.
      
      bitmap API (include/linux/bitmap.h) has 'bitmap' prefix for its methods.
      
      On the other hand MD bitmap API is special case.
      Adding 'md' prefix to it to avoid name space collision.
      
      No functional changes intended.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Acked-by: default avatarShaohua Li <shli@kernel.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      [only take the bitmap_free change for stable - gregkh]
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e9a80d43
    • Bo Wu's avatar
      scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func · 20c0aa96
      Bo Wu authored
      commit bba340c7 upstream.
      
      In iscsi_if_rx func, after receiving one request through
      iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to
      reply to the request in a do-while loop.  If the iscsi_if_send_reply
      function keeps returning -EAGAIN, a deadlock will occur.
      
      For example, a client only send msg without calling recvmsg func, then
      it will result in the watchdog soft lockup.  The details are given as
      follows:
      
      	sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
      	retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr);
      	while (1) {
      		state_msg = sendmsg(sock_fd, &msg, 0);
      		//Note: recvmsg(sock_fd, &msg, 0) is not processed here.
      	}
      	close(sock_fd);
      
      watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat:
      curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0
      deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq:
               TIMER:        992
               SCHED:          8
      Sample irqstat:
               irq    2: delta       1003, curr:    3103802, arch_timer
      CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G           OE
      Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
      pstate: 40400005 (nZcv daif +PAN -UAO)
      pc : __alloc_skb+0x104/0x1b0
      lr : __alloc_skb+0x9c/0x1b0
      sp : ffff000033603a30
      x29: ffff000033603a30 x28: 00000000000002dd
      x27: ffff800b34ced810 x26: ffff800ba7569f00
      x25: 00000000ffffffff x24: 0000000000000000
      x23: ffff800f7c43f600 x22: 0000000000480020
      x21: ffff0000091d9000 x20: ffff800b34eff200
      x19: ffff800ba7569f00 x18: 0000000000000000
      x17: 0000000000000000 x16: 0000000000000000
      x15: 0000000000000000 x14: 0001000101000100
      x13: 0000000101010000 x12: 0101000001010100
      x11: 0001010101010001 x10: 00000000000002dd
      x9 : ffff000033603d58 x8 : ffff800b34eff400
      x7 : ffff800ba7569200 x6 : ffff800b34eff400
      x5 : 0000000000000000 x4 : 00000000ffffffff
      x3 : 0000000000000000 x2 : 0000000000000001
      x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace:
      __alloc_skb+0x104/0x1b0
      iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi]
      netlink_unicast+0x1e0/0x258
      netlink_sendmsg+0x310/0x378
      sock_sendmsg+0x4c/0x70
      sock_write_iter+0x90/0xf0
      __vfs_write+0x11c/0x190
      vfs_write+0xac/0x1c0
      ksys_write+0x6c/0xd8
      __arm64_sys_write+0x24/0x30
      el0_svc_common+0x78/0x130
      el0_svc_handler+0x38/0x78
      el0_svc+0x8/0xc
      
      Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com
      
      Signed-off-by: default avatarBo Wu <wubo40@huawei.com>
      Reviewed-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Reviewed-by: default avatarLee Duncan <lduncan@suse.com>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      20c0aa96
    • Hans Verkuil's avatar
      media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT · bef0dc84
      Hans Verkuil authored
      commit ee8951e5
      
       upstream.
      
      v4l2_vbi_format, v4l2_sliced_vbi_format and v4l2_sdr_format
      have a reserved array at the end that should be zeroed by drivers
      as per the V4L2 spec. Older drivers often do not do this, so just
      handle this in the core.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bef0dc84
    • Wen Huang's avatar
      libertas: Fix two buffer overflows at parsing bss descriptor · 5cdd9e0e
      Wen Huang authored
      commit e5e884b4
      
       upstream.
      
      add_ie_rates() copys rates without checking the length
      in bss descriptor from remote AP.when victim connects to
      remote attacker, this may trigger buffer overflow.
      lbs_ibss_join_existing() copys rates without checking the length
      in bss descriptor from remote IBSS node.when victim connects to
      remote attacker, this may trigger buffer overflow.
      Fix them by putting the length check before performing copy.
      
      This fix addresses CVE-2019-14896 and CVE-2019-14897.
      This also fix build warning of mixed declarations and code.
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Signed-off-by: default avatarWen Huang <huangwenabc@gmail.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5cdd9e0e
    • Suzuki K Poulose's avatar
      coresight: tmc-etf: Do not call smp_processor_id from preemptible · 30885626
      Suzuki K Poulose authored
      commit 024c1fd9 upstream.
      
      During a perf session we try to allocate buffers on the "node" associated
      with the CPU the event is bound to. If it is not bound to a CPU, we
      use the current CPU node, using smp_processor_id(). However this is unsafe
      in a pre-emptible context and could generate the splats as below :
      
       BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
       caller is tmc_alloc_etf_buffer+0x5c/0x60
       CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
       Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb  1 2019
       Call trace:
        dump_backtrace+0x0/0x150
        show_stack+0x14/0x20
        dump_stack+0x9c/0xc4
        debug_smp_processor_id+0x10c/0x110
        tmc_alloc_etf_buffer+0x5c/0x60
        etm_setup_aux+0x1c4/0x230
        rb_alloc_aux+0x1b8/0x2b8
        perf_mmap+0x35c/0x478
        mmap_region+0x34c/0x4f0
        do_mmap+0x2d8/0x418
        vm_mmap_pgoff+0xd0/0xf8
        ksys_mmap_pgoff+0x88/0xf8
        __arm64_sys_mmap+0x28/0x38
        el0_svc_handler+0xd8/0x138
        el0_svc+0x8/0xc
      
      Use NUMA_NO_NODE hint instead of using the current node for events
      not bound to CPUs.
      
      Fixes: 2e499bbc
      
       ("coresight: tmc: implementing TMC-ETF AUX space API")
      Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Cc: stable <stable@vger.kernel.org> # 4.7+
      Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30885626
    • Suzuki K Poulose's avatar
      coresight: etb10: Do not call smp_processor_id from preemptible · a4681849
      Suzuki K Poulose authored
      commit 730766ba upstream.
      
      During a perf session we try to allocate buffers on the "node" associated
      with the CPU the event is bound to. If it is not bound to a CPU, we
      use the current CPU node, using smp_processor_id(). However this is unsafe
      in a pre-emptible context and could generate the splats as below :
      
       BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
      
      Use NUMA_NO_NODE hint instead of using the current node for events
      not bound to CPUs.
      
      Fixes: 2997aa40
      
       ("coresight: etb10: implementing AUX API")
      Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
      Signed-off-by: default avatarSuzuki K Poulose <suzuki.poulose@arm.com>
      Cc: stable <stable@vger.kernel.org> # 4.6+
      Signed-off-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      a4681849
    • Masato Suzuki's avatar
      sd: Fix REQ_OP_ZONE_REPORT completion handling · 3e0151de
      Masato Suzuki authored
      ZBC/ZAC report zones command may return less bytes than requested if the
      number of matching zones for the report request is small. However, unlike
      read or write commands, the remainder of incomplete report zones commands
      cannot be automatically requested by the block layer: the start sector of
      the next report cannot be known, and the report reply may not be 512B
      aligned for SAS drives (a report zone reply size is always a multiple of
      64B). The regular request completion code executing bio_advance() and
      restart of the command remainder part currently causes invalid zone
      descriptor data to be reported to the caller if the report zone size is
      smaller than 512B (a case that can happen easily for a report of the last
      zones of a SAS drive for example).
      
      Since blkdev_report_zones() handles report zone command processing in a
      loop until completion (no more zones are being reported), we can safely
      avoid that the block layer performs an incorrect bio_advance() call and
      restart of the remainder of incomplete report zone BIOs. To do so, always
      indicate a full completion of REQ_OP_ZONE_REPORT by setting good_bytes to
      the request buffer size and by setting the command resid to 0. This does
      not affect the post processing of the report zone reply done by
      sd_zbc_complete() since the reply header indicates the number of zones
      reported.
      
      Fixes: 89d94756
      
       ("sd: Implement support for ZBC devices")
      Cc: <stable@vger.kernel.org> # 4.19
      Cc: <stable@vger.kernel.org> # 4.14
      Signed-off-by: default avatarMasato Suzuki <masato.suzuki@wdc.com>
      Reviewed-by: default avatarDamien Le Moal <damien.lemoal@wdc.com>
      Acked-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e0151de
    • Al Viro's avatar
      do_last(): fetch directory ->i_mode and ->i_uid before it's too late · 778de9db
      Al Viro authored
      commit d0cb5018 upstream.
      
      may_create_in_sticky() call is done when we already have dropped the
      reference to dir.
      
      Fixes: 30aba665
      
       (namei: allow restricted O_CREAT of FIFOs and regular files)
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      778de9db
    • Changbin Du's avatar
      tracing: xen: Ordered comparison of function pointers · 09efdaac
      Changbin Du authored
      commit d0695e23 upstream.
      
      Just as commit 0566e40c ("tracing: initcall: Ordered comparison of
      function pointers"), this patch fixes another remaining one in xen.h
      found by clang-9.
      
      In file included from arch/x86/xen/trace.c:21:
      In file included from ./include/trace/events/xen.h:475:
      In file included from ./include/trace/define_trace.h:102:
      In file included from ./include/trace/trace_events.h:473:
      ./include/trace/events/xen.h:69:7: warning: ordered comparison of function \
      pointers ('xen_mc_callback_fn_t' (aka 'void (*)(void *)') and 'xen_mc_callback_fn_t') [-Wordered-compare-function-pointers]
                          __field(xen_mc_callback_fn_t, fn)
                          ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      ./include/trace/trace_events.h:421:29: note: expanded from macro '__field'
                                      ^
      ./include/trace/trace_events.h:407:6: note: expanded from macro '__field_ext'
                                       is_signed_type(type), filter_type);    \
                                       ^
      ./include/linux/trace_events.h:554:44: note: expanded from macro 'is_signed_type'
                                                    ^
      
      Fixes: c796f213
      
       ("xen/trace: add multicall tracing")
      Signed-off-by: default avatarChangbin Du <changbin.du@gmail.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09efdaac
    • Bart Van Assche's avatar
      scsi: RDMA/isert: Fix a recently introduced regression related to logout · 1ff73976
      Bart Van Assche authored
      commit 04060db4 upstream.
      
      iscsit_close_connection() calls isert_wait_conn(). Due to commit
      e9d3009c both functions call target_wait_for_sess_cmds() although that
      last function should be called only once. Fix this by removing the
      target_wait_for_sess_cmds() call from isert_wait_conn() and by only calling
      isert_wait_conn() after target_wait_for_sess_cmds().
      
      Fixes: e9d3009c ("scsi: target: iscsi: Wait for all commands to finish before freeing a session").
      Link: https://lore.kernel.org/r/20200116044737.19507-1-bvanassche@acm.org
      
      Reported-by: default avatarRahul Kundu <rahul.kundu@chelsio.com>
      Signed-off-by: default avatarBart Van Assche <bvanassche@acm.org>
      Tested-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Acked-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1ff73976
    • Gilles Buloz's avatar
      hwmon: (nct7802) Fix voltage limits to wrong registers · 788a56f8
      Gilles Buloz authored
      commit 7713e62c
      
       upstream.
      
      in0 thresholds are written to the in2 thresholds registers
      in2 thresholds to in3 thresholds
      in3 thresholds to in4 thresholds
      in4 thresholds to in0 thresholds
      Signed-off-by: default avatarGilles Buloz <gilles.buloz@kontron.com>
      Link: https://lore.kernel.org/r/5de0f509.rc0oEvPOMjbfPW1w%gilles.buloz@kontron.com
      Fixes: 3434f378
      
       ("hwmon: Driver for Nuvoton NCT7802Y")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      788a56f8
    • Chuhong Yuan's avatar
      Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register · 59b27a9f
      Chuhong Yuan authored
      commit 97e24b09 upstream.
      
      The driver misses a check for devm_thermal_zone_of_sensor_register().
      Add a check to fix it.
      
      Fixes: e28d0c9c
      
       ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register")
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59b27a9f
    • Johan Hovold's avatar
      Input: pegasus_notetaker - fix endpoint sanity check · f4c64034
      Johan Hovold authored
      commit bcfcb7f9 upstream.
      
      The driver was checking the number of endpoints of the first alternate
      setting instead of the current one, something which could be used by a
      malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer
      dereference.
      
      Fixes: 1afca2b6
      
       ("Input: add Pegasus Notetaker tablet driver")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarMartin Kepplinger <martink@posteo.de>
      Acked-by: default avatarVladis Dronov <vdronov@redhat.com>
      Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f4c64034
    • Johan Hovold's avatar
      Input: aiptek - fix endpoint sanity check · c2764d44
      Johan Hovold authored
      commit 3111491f upstream.
      
      The driver was checking the number of endpoints of the first alternate
      setting instead of the current one, something which could lead to the
      driver binding to an invalid interface.
      
      This in turn could cause the driver to misbehave or trigger a WARN() in
      usb_submit_urb() that kernels with panic_on_warn set would choke on.
      
      Fixes: 8e20cf2b
      
       ("Input: aiptek - fix crash on detecting device without endpoints")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarVladis Dronov <vdronov@redhat.com>
      Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c2764d44
    • Johan Hovold's avatar
      Input: gtco - fix endpoint sanity check · e11d045f
      Johan Hovold authored
      commit a8eeb74d upstream.
      
      The driver was checking the number of endpoints of the first alternate
      setting instead of the current one, something which could lead to the
      driver binding to an invalid interface.
      
      This in turn could cause the driver to misbehave or trigger a WARN() in
      usb_submit_urb() that kernels with panic_on_warn set would choke on.
      
      Fixes: 162f98de
      
       ("Input: gtco - fix crash on detecting device without endpoints")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarVladis Dronov <vdronov@redhat.com>
      Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e11d045f
    • Johan Hovold's avatar
      Input: sur40 - fix interface sanity checks · 0411b242
      Johan Hovold authored
      commit 6b32391e upstream.
      
      Make sure to use the current alternate setting when verifying the
      interface descriptors to avoid binding to an invalid interface.
      
      This in turn could cause the driver to misbehave or trigger a WARN() in
      usb_submit_urb() that kernels with panic_on_warn set would choke on.
      
      Fixes: bdb5c57f
      
       ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Acked-by: default avatarVladis Dronov <vdronov@redhat.com>
      Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0411b242
    • Stephan Gerhold's avatar
      Input: pm8xxx-vib - fix handling of separate enable register · 1130377f
      Stephan Gerhold authored
      commit 996d5d5f upstream.
      
      Setting the vibrator enable_mask is not implemented correctly:
      
      For regmap_update_bits(map, reg, mask, val) we give in either
      regs->enable_mask or 0 (= no-op) as mask and "val" as value.
      But "val" actually refers to the vibrator voltage control register,
      which has nothing to do with the enable_mask.
      
      So we usually end up doing nothing when we really wanted
      to enable the vibrator.
      
      We want to set or clear the enable_mask (to enable/disable the vibrator).
      Therefore, change the call to always modify the enable_mask
      and set the bits only if we want to enable the vibrator.
      
      Fixes: d4c7c5c9
      
       ("Input: pm8xxx-vib - handle separate enable register")
      Signed-off-by: default avatarStephan Gerhold <stephan@gerhold.net>
      Link: https://lore.kernel.org/r/20200114183442.45720-1-stephan@gerhold.net
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1130377f
    • Jeremy Linton's avatar
      Documentation: Document arm64 kpti control · c57b0f88
      Jeremy Linton authored
      commit de190555
      
       upstream.
      
      For a while Arm64 has been capable of force enabling
      or disabling the kpti mitigations. Lets make sure the
      documentation reflects that.
      Signed-off-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      Reviewed-by: default avatarAndre Przywara <andre.przywara@arm.com>
      Signed-off-by: default avatarJonathan Corbet <corbet@lwn.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c57b0f88
    • Michał Mirosław's avatar
      mmc: sdhci: fix minimum clock rate for v3 controller · da6b467e
      Michał Mirosław authored
      commit 2a187d03 upstream.
      
      For SDHCIv3+ with programmable clock mode, minimal clock frequency is
      still base clock / max(divider). Minimal programmable clock frequency is
      always greater than minimal divided clock frequency. Without this patch,
      SDHCI uses out-of-spec initial frequency when multiplier is big enough:
      
      mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz
      [for 480 MHz source clock divided by 1024]
      
      The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode.
      
      Fixes: c3ed3877 ("mmc: sdhci: add support for programmable clock mode")
      Cc: <stable@vger.kernel.org> # 4f6aa326
      
      : mmc: tegra: Only advertise UHS modes if IO regulator is present
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarMichał Mirosław <mirq-linux@rere.qmqm.pl>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl
      
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da6b467e
    • Michał Mirosław's avatar
      mmc: tegra: fix SDR50 tuning override · dd5d5e77
      Michał Mirosław authored
      commit f571389c upstream.
      
      Commit 7ad2ed1d inadvertently mixed up a quirk flag's name and
      broke SDR50 tuning override. Use correct NVQUIRK_ name.
      
      Fixes: 7ad2ed1d
      
       ("mmc: tegra: enable UHS-I modes")
      Cc: <stable@vger.kernel.org>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Reviewed-by: default avatarThierry Reding <treding@nvidia.com>
      Tested-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarMichał Mirosław <mirq-linux@rere.qmqm.pl>
      Link: https://lore.kernel.org/r/9aff1d859935e59edd81e4939e40d6c55e0b55f6.1578390388.git.mirq-linux@rere.qmqm.pl
      
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dd5d5e77
    • Alex Sverdlin's avatar
      ARM: 8950/1: ftrace/recordmcount: filter relocation types · bb4768b0
      Alex Sverdlin authored
      commit 927d780e upstream.
      
      Scenario 1, ARMv7
      =================
      
      If code in arch/arm/kernel/ftrace.c would operate on mcount() pointer
      the following may be generated:
      
      00000230 <prealloc_fixed_plts>:
       230:   b5f8            push    {r3, r4, r5, r6, r7, lr}
       232:   b500            push    {lr}
       234:   f7ff fffe       bl      0 <__gnu_mcount_nc>
                              234: R_ARM_THM_CALL     __gnu_mcount_nc
       238:   f240 0600       movw    r6, #0
                              238: R_ARM_THM_MOVW_ABS_NC      __gnu_mcount_nc
       23c:   f8d0 1180       ldr.w   r1, [r0, #384]  ; 0x180
      
      FTRACE currently is not able to deal with it:
      
      WARNING: CPU: 0 PID: 0 at .../kernel/trace/ftrace.c:1979 ftrace_bug+0x1ad/0x230()
      ...
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.116-... #1
      ...
      [<c0314e3d>] (unwind_backtrace) from [<c03115e9>] (show_stack+0x11/0x14)
      [<c03115e9>] (show_stack) from [<c051a7f1>] (dump_stack+0x81/0xa8)
      [<c051a7f1>] (dump_stack) from [<c0321c5d>] (warn_slowpath_common+0x69/0x90)
      [<c0321c5d>] (warn_slowpath_common) from [<c0321cf3>] (warn_slowpath_null+0x17/0x1c)
      [<c0321cf3>] (warn_slowpath_null) from [<c038ee9d>] (ftrace_bug+0x1ad/0x230)
      [<c038ee9d>] (ftrace_bug) from [<c038f1f9>] (ftrace_process_locs+0x27d/0x444)
      [<c038f1f9>] (ftrace_process_locs) from [<c08915bd>] (ftrace_init+0x91/0xe8)
      [<c08915bd>] (ftrace_init) from [<c0885a67>] (start_kernel+0x34b/0x358)
      [<c0885a67>] (start_kernel) from [<00308095>] (0x308095)
      ---[ end trace cb88537fdc8fa200 ]---
      ftrace failed to modify [<c031266c>] prealloc_fixed_plts+0x8/0x60
       actual: 44:f2:e1:36
      ftrace record flags: 0
       (0)   expected tramp: c03143e9
      
      Scenario 2, ARMv4T
      ==================
      
      ftrace: allocating 14435 entries in 43 pages
      ------------[ cut here ]------------
      WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:2029 ftrace_bug+0x204/0x310
      CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.5 #1
      Hardware name: Cirrus Logic EDB9302 Evaluation Board
      [<c0010a24>] (unwind_backtrace) from [<c000ecb0>] (show_stack+0x20/0x2c)
      [<c000ecb0>] (show_stack) from [<c03c72e8>] (dump_stack+0x20/0x30)
      [<c03c72e8>] (dump_stack) from [<c0021c18>] (__warn+0xdc/0x104)
      [<c0021c18>] (__warn) from [<c0021d7c>] (warn_slowpath_null+0x4c/0x5c)
      [<c0021d7c>] (warn_slowpath_null) from [<c0095360>] (ftrace_bug+0x204/0x310)
      [<c0095360>] (ftrace_bug) from [<c04dabac>] (ftrace_init+0x3b4/0x4d4)
      [<c04dabac>] (ftrace_init) from [<c04cef4c>] (start_kernel+0x20c/0x410)
      [<c04cef4c>] (start_kernel) from [<00000000>] (  (null))
      ---[ end trace 0506a2f5dae6b341 ]---
      ftrace failed to modify
      [<c000c350>] perf_trace_sys_exit+0x5c/0xe8
       actual:   1e:ff:2f:e1
      Initializing ftrace call sites
      ftrace record flags: 0
       (0)
       expected tramp: c000fb24
      
      The analysis for this problem has been already performed previously,
      refer to the link below.
      
      Fix the above problems by allowing only selected reloc types in
      __mcount_loc. The list itself comes from the legacy recordmcount.pl
      script.
      
      Link: https://lore.kernel.org/lkml/56961010.6000806@pengutronix.de/
      Cc: stable@vger.kernel.org
      Fixes: ed60453f
      
       ("ARM: 6511/1: ftrace: add ARM support for C version of recordmcount")
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Acked-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb4768b0
    • Hans Verkuil's avatar
      Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers" · ac390c98
      Hans Verkuil authored
      commit 8ff771f8 upstream.
      
      This reverts commit a284e11c
      
      .
      
      This causes problems (drifting cursor) with at least the F11 function that
      reads more than 32 bytes.
      
      The real issue is in the F54 driver, and so this should be fixed there, and
      not in rmi_smbus.c.
      
      So first revert this bad commit, then fix the real problem in F54 in another
      patch.
      Signed-off-by: default avatarHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: default avatarTimo Kaufmann <timokau@zoho.com>
      Fixes: a284e11c ("Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers")
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20200115124819.3191024-2-hverkuil-cisco@xs4all.nl
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac390c98
    • Johan Hovold's avatar
      Input: keyspan-remote - fix control-message timeouts · 68c538b4
      Johan Hovold authored
      commit ba9a103f upstream.
      
      The driver was issuing synchronous uninterruptible control requests
      without using a timeout. This could lead to the driver hanging on probe
      due to a malfunctioning (or malicious) device until the device is
      physically disconnected. While sleeping in probe the driver prevents
      other devices connected to the same hub from being added to (or removed
      from) the bus.
      
      The USB upper limit of five seconds per request should be more than
      enough.
      
      Fixes: 99f83c9c
      
       ("[PATCH] USB: add driver for Keyspan Digital Remote")
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: stable <stable@vger.kernel.org>     # 2.6.13
      Link: https://lore.kernel.org/r/20200113171715.30621-1-johan@kernel.org
      
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      68c538b4
    • Guenter Roeck's avatar
      hwmon: (core) Do not use device managed functions for memory allocations · 0a36cb84
      Guenter Roeck authored
      commit 3bf8bdcf upstream.
      
      The hwmon core uses device managed functions, tied to the hwmon parent
      device, for various internal memory allocations. This is problematic
      since hwmon device lifetime does not necessarily match its parent's
      device lifetime. If there is a mismatch, memory leaks will accumulate
      until the parent device is released.
      
      Fix the problem by managing all memory allocations internally. The only
      exception is memory allocation for thermal device registration, which
      can be tied to the hwmon device, along with thermal device registration
      itself.
      
      Fixes: d560168b ("hwmon: (core) New hwmon registration API")
      Cc: stable@vger.kernel.org # v4.14.x: 47c332de: hwmon: Deal with errors from the thermal subsystem
      Cc: stable@vger.kernel.org # v4.14.x: 74e35127: hwmon: (core) Fix double-free in __hwmon_device_register()
      Cc: stable@vger.kernel.org # v4.9.x: 3a412d5e: hwmon: (core) Simplify sysfs attribute name allocation
      Cc: stable@vger.kernel.org # v4.9.x: 47c332de: hwmon: Deal with errors from the thermal subsystem
      Cc: stable@vger.kernel.org # v4.9.x: 74e35127
      
      : hwmon: (core) Fix double-free in __hwmon_device_register()
      Cc: stable@vger.kernel.org # v4.9+
      Cc: Martin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a36cb84
    • Dmitry Osipenko's avatar
      hwmon: (core) Fix double-free in __hwmon_device_register() · ffea8daa
      Dmitry Osipenko authored
      commit 74e35127 upstream.
      
      Fix double-free that happens when thermal zone setup fails, see KASAN log
      below.
      
      ==================================================================
      BUG: KASAN: double-free or invalid-free in __hwmon_device_register+0x5dc/0xa7c
      
      CPU: 0 PID: 132 Comm: kworker/0:2 Tainted: G    B             4.19.0-rc8-next-20181016-00042-gb52cd80401e9-dirty #41
      Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
      Workqueue: events deferred_probe_work_func
      Backtrace:
      [<c0110540>] (dump_backtrace) from [<c0110944>] (show_stack+0x20/0x24)
      [<c0110924>] (show_stack) from [<c105cb08>] (dump_stack+0x9c/0xb0)
      [<c105ca6c>] (dump_stack) from [<c02fdaec>] (print_address_description+0x68/0x250)
      [<c02fda84>] (print_address_description) from [<c02fd4ac>] (kasan_report_invalid_free+0x68/0x88)
      [<c02fd444>] (kasan_report_invalid_free) from [<c02fc85c>] (__kasan_slab_free+0x1f4/0x200)
      [<c02fc668>] (__kasan_slab_free) from [<c02fd0c0>] (kasan_slab_free+0x14/0x18)
      [<c02fd0ac>] (kasan_slab_free) from [<c02f9c6c>] (kfree+0x90/0x294)
      [<c02f9bdc>] (kfree) from [<c0b41bbc>] (__hwmon_device_register+0x5dc/0xa7c)
      [<c0b415e0>] (__hwmon_device_register) from [<c0b421e8>] (hwmon_device_register_with_info+0xa0/0xa8)
      [<c0b42148>] (hwmon_device_register_with_info) from [<c0b42324>] (devm_hwmon_device_register_with_info+0x74/0xb4)
      [<c0b422b0>] (devm_hwmon_device_register_with_info) from [<c0b4481c>] (lm90_probe+0x414/0x578)
      [<c0b44408>] (lm90_probe) from [<c0aeeff4>] (i2c_device_probe+0x35c/0x384)
      [<c0aeec98>] (i2c_device_probe) from [<c08776cc>] (really_probe+0x290/0x3e4)
      [<c087743c>] (really_probe) from [<c0877a2c>] (driver_probe_device+0x80/0x1c4)
      [<c08779ac>] (driver_probe_device) from [<c0877da8>] (__device_attach_driver+0x104/0x11c)
      [<c0877ca4>] (__device_attach_driver) from [<c0874dd8>] (bus_for_each_drv+0xa4/0xc8)
      [<c0874d34>] (bus_for_each_drv) from [<c08773b0>] (__device_attach+0xf0/0x15c)
      [<c08772c0>] (__device_attach) from [<c0877e24>] (device_initial_probe+0x1c/0x20)
      [<c0877e08>] (device_initial_probe) from [<c08762f4>] (bus_probe_device+0xdc/0xec)
      [<c0876218>] (bus_probe_device) from [<c0876a08>] (deferred_probe_work_func+0xa8/0xd4)
      [<c0876960>] (deferred_probe_work_func) from [<c01527c4>] (process_one_work+0x3dc/0x96c)
      [<c01523e8>] (process_one_work) from [<c01541e0>] (worker_thread+0x4ec/0x8bc)
      [<c0153cf4>] (worker_thread) from [<c015b238>] (kthread+0x230/0x240)
      [<c015b008>] (kthread) from [<c01010bc>] (ret_from_fork+0x14/0x38)
      Exception stack(0xcf743fb0 to 0xcf743ff8)
      3fa0:                                     00000000 00000000 00000000 00000000
      3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
      3fe0: 00000000 00000000 00000000 00000000 00000013 00000000
      
      Allocated by task 132:
       kasan_kmalloc.part.1+0x58/0xf4
       kasan_kmalloc+0x90/0xa4
       kmem_cache_alloc_trace+0x90/0x2a0
       __hwmon_device_register+0xbc/0xa7c
       hwmon_device_register_with_info+0xa0/0xa8
       devm_hwmon_device_register_with_info+0x74/0xb4
       lm90_probe+0x414/0x578
       i2c_device_probe+0x35c/0x384
       really_probe+0x290/0x3e4
       driver_probe_device+0x80/0x1c4
       __device_attach_driver+0x104/0x11c
       bus_for_each_drv+0xa4/0xc8
       __device_attach+0xf0/0x15c
       device_initial_probe+0x1c/0x20
       bus_probe_device+0xdc/0xec
       deferred_probe_work_func+0xa8/0xd4
       process_one_work+0x3dc/0x96c
       worker_thread+0x4ec/0x8bc
       kthread+0x230/0x240
       ret_from_fork+0x14/0x38
         (null)
      
      Freed by task 132:
       __kasan_slab_free+0x12c/0x200
       kasan_slab_free+0x14/0x18
       kfree+0x90/0x294
       hwmon_dev_release+0x1c/0x20
       device_release+0x4c/0xe8
       kobject_put+0xac/0x11c
       device_unregister+0x2c/0x30
       __hwmon_device_register+0xa58/0xa7c
       hwmon_device_register_with_info+0xa0/0xa8
       devm_hwmon_device_register_with_info+0x74/0xb4
       lm90_probe+0x414/0x578
       i2c_device_probe+0x35c/0x384
       really_probe+0x290/0x3e4
       driver_probe_device+0x80/0x1c4
       __device_attach_driver+0x104/0x11c
       bus_for_each_drv+0xa4/0xc8
       __device_attach+0xf0/0x15c
       device_initial_probe+0x1c/0x20
       bus_probe_device+0xdc/0xec
       deferred_probe_work_func+0xa8/0xd4
       process_one_work+0x3dc/0x96c
       worker_thread+0x4ec/0x8bc
       kthread+0x230/0x240
       ret_from_fork+0x14/0x38
         (null)
      
      Cc: <stable@vger.kernel.org> # v4.15+
      Fixes: 47c332de
      
       ("hwmon: Deal with errors from the thermal subsystem")
      Signed-off-by: default avatarDmitry Osipenko <digetx@gmail.com>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ffea8daa
    • Linus Walleij's avatar
      hwmon: Deal with errors from the thermal subsystem · 4c7b99b4
      Linus Walleij authored
      commit 47c332de upstream.
      
      If the thermal subsystem returne -EPROBE_DEFER or any other error
      when hwmon calls devm_thermal_zone_of_sensor_register(), this is
      silently ignored.
      
      I ran into this with an incorrectly defined thermal zone, making
      it non-existing and thus this call failed with -EPROBE_DEFER
      assuming it would appear later. The sensor was still added
      which is incorrect: sensors must strictly be added after the
      thermal zones, so deferred probe must be respected.
      
      Fixes: d560168b
      
       ("hwmon: (core) New hwmon registration API")
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c7b99b4
    • Luuk Paulussen's avatar
      hwmon: (adt7475) Make volt2reg return same reg as reg2volt input · 6090ac18
      Luuk Paulussen authored
      commit cf3ca187
      
       upstream.
      
      reg2volt returns the voltage that matches a given register value.
      Converting this back the other way with volt2reg didn't return the same
      register value because it used truncation instead of rounding.
      
      This meant that values read from sysfs could not be written back to sysfs
      to set back the same register value.
      
      With this change, volt2reg will return the same value for every voltage
      previously returned by reg2volt (for the set of possible input values)
      Signed-off-by: default avatarLuuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
      Link: https://lore.kernel.org/r/20191205231659.1301-1-luuk.paulussen@alliedtelesis.co.nz
      
      
      cc: stable@vger.kernel.org
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6090ac18
    • Eric Dumazet's avatar
      net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() · e8412528
      Eric Dumazet authored
      [ Upstream commit d836f5c6 ]
      
      rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu
      checks that we apply in do_setlink()
      
      Otherwise malicious users can crash the kernel, for example after
      an integer overflow :
      
      BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline]
      BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
      Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0
      
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       check_memory_region_inline mm/kasan/generic.c:185 [inline]
       check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
       memset+0x24/0x40 mm/kasan/common.c:108
       memset include/linux/string.h:365 [inline]
       __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
       alloc_skb include/linux/skbuff.h:1049 [inline]
       alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664
       sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242
       sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259
       mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609
       add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713
       add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844
       mld_send_cr net/ipv6/mcast.c:1970 [inline]
       mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477
       call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
       expire_timers kernel/time/timer.c:1449 [inline]
       __run_timers kernel/time/timer.c:1773 [inline]
       __run_timers kernel/time/timer.c:1740 [inline]
       run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       invoke_softirq kernel/softirq.c:373 [inline]
       irq_exit+0x19b/0x1e0 kernel/softirq.c:413
       exiting_irq arch/x86/include/asm/apic.h:536 [inline]
       smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
       </IRQ>
      RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
      Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79
      RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
      RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000
      RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54
      RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
      R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000
       arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
       default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
       cpuidle_idle_call kernel/sched/idle.c:154 [inline]
       do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
       cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
       rest_init+0x23b/0x371 init/main.c:451
       arch_call_rest_init+0xe/0x1b
       start_kernel+0x904/0x943 init/main.c:784
       x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
       x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
       secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
      
      The buggy address belongs to the page:
      page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
      raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                                 ^
       ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      
      Fixes: 61e84623
      
       ("net: centralize net_device min/max MTU checking")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8412528
    • Wen Yang's avatar
      tcp_bbr: improve arithmetic division in bbr_update_bw() · 7e70784f
      Wen Yang authored
      [ Upstream commit 5b2f1f30
      
       ]
      
      do_div() does a 64-by-32 division. Use div64_long() instead of it
      if the divisor is long, to avoid truncation to 32-bit.
      And as a nice side effect also cleans up the function a bit.
      Signed-off-by: default avatarWen Yang <wenyang@linux.alibaba.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7e70784f
    • James Hughes's avatar
      net: usb: lan78xx: Add .ndo_features_check · d6502fc2
      James Hughes authored
      [ Upstream commit ce896476
      
       ]
      
      As reported by Eric Dumazet, there are still some outstanding
      cases where the driver does not handle TSO correctly when skb's
      are over a certain size. Most cases have been fixed, this patch
      should ensure that forwarded SKB's that are greater than
      MAX_SINGLE_PACKET_SIZE - TX_OVERHEAD are software segmented
      and handled correctly.
      Signed-off-by: default avatarJames Hughes <james.hughes@raspberrypi.org>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d6502fc2
    • Jouni Hogander's avatar
      net-sysfs: Fix reference count leak · c5fd8a37
      Jouni Hogander authored
      [ Upstream commit cb626bf5
      
       ]
      
      Netdev_register_kobject is calling device_initialize. In case of error
      reference taken by device_initialize is not given up.
      
      Drivers are supposed to call free_netdev in case of error. In non-error
      case the last reference is given up there and device release sequence
      is triggered. In error case this reference is kept and the release
      sequence is never started.
      
      Fix this by setting reg_state as NETREG_UNREGISTERED if registering
      fails.
      
      This is the rootcause for couple of memory leaks reported by Syzkaller:
      
      BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
        comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
          00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
        backtrace:
          [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
          [<000000002340019b>] device_add+0x882/0x1750
          [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
          [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
          [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
          [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
          [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
          [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
          [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
          [<00000000984cabb9>] do_syscall_64+0x16f/0x580
          [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<00000000e6ca2d9f>] 0xffffffffffffffff
      
      BUG: memory leak
      unreferenced object 0xffff8880668ba588 (size 8):
        comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s)
        hex dump (first 8 bytes):
          6e 72 30 00 cc be df 2b                          nr0....+
        backtrace:
          [<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290
          [<00000000236fd26b>] kstrdup+0x3e/0x70
          [<00000000dd4a2815>] kstrdup_const+0x3e/0x50
          [<0000000049a377fc>] kvasprintf_const+0x10e/0x160
          [<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140
          [<0000000019eeab06>] dev_set_name+0xc0/0xf0
          [<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320
          [<00000000f2e83732>] register_netdevice+0xa1b/0xf00
          [<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0
          [<000000009c560784>] tun_chr_ioctl+0x2f/0x40
          [<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510
          [<00000000351d7c31>] ksys_ioctl+0x99/0xb0
          [<000000008390040a>] __x64_sys_ioctl+0x78/0xb0
          [<0000000052d196b7>] do_syscall_64+0x16f/0x580
          [<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<00000000bc384531>] 0xffffffffffffffff
      
      v3 -> v4:
        Set reg_state to NETREG_UNREGISTERED if registering fails
      
      v2 -> v3:
      * Replaced BUG_ON with WARN_ON in free_netdev and netdev_release
      
      v1 -> v2:
      * Relying on driver calling free_netdev rather than calling
        put_device directly in error path
      
      Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com
      Cc: David Miller <davem@davemloft.net>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c5fd8a37
    • Jouni Hogander's avatar
      net-sysfs: Call dev_hold always in rx_queue_add_kobject · 8aca069f
      Jouni Hogander authored
      commit ddd9b5e3 upstream.
      
      Dev_hold has to be called always in rx_queue_add_kobject.
      Otherwise usage count drops below 0 in case of failure in
      kobject_init_and_add.
      
      Fixes: b8eb7183
      
       ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
      Reported-by: default avatarsyzbot <syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: David Miller <davem@davemloft.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8aca069f
    • Jouni Hogander's avatar
      net-sysfs: Call dev_hold always in netdev_queue_add_kobject · 8ba773a2
      Jouni Hogander authored
      commit e0b60903 upstream.
      
      Dev_hold has to be called always in netdev_queue_add_kobject.
      Otherwise usage count drops below 0 in case of failure in
      kobject_init_and_add.
      
      Fixes: b8eb7183
      
       ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Cc: David Miller <davem@davemloft.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ba773a2
    • Eric Dumazet's avatar
      net-sysfs: fix netdev_queue_add_kobject() breakage · 5f363368
      Eric Dumazet authored
      commit 48a322b6 upstream.
      
      kobject_put() should only be called in error path.
      
      Fixes: b8eb7183
      
       ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Jouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5f363368
    • Jouni Hogander's avatar
      net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject · 7ac7cc5e
      Jouni Hogander authored
      commit b8eb7183
      
       upstream.
      
      kobject_init_and_add takes reference even when it fails. This has
      to be given up by the caller in error handling. Otherwise memory
      allocated by kobject_init_and_add is never freed. Originally found
      by Syzkaller:
      
      BUG: memory leak
      unreferenced object 0xffff8880679f8b08 (size 8):
        comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
        hex dump (first 8 bytes):
          72 78 2d 30 00 36 20 d4                          rx-0.6 .
        backtrace:
          [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
          [<000000001f2e4e49>] kvasprintf+0xb1/0x140
          [<000000007f313394>] kvasprintf_const+0x56/0x160
          [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
          [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
          [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
          [<000000006be5f104>] netdev_register_kobject+0x210/0x380
          [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
          [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
          [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
          [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
          [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
          [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
          [<0000000038d946e5>] do_syscall_64+0x16f/0x580
          [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
          [<00000000285b3d1a>] 0xffffffffffffffff
      
      Cc: David Miller <davem@davemloft.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ac7cc5e
    • Cong Wang's avatar
      net_sched: fix datalen for ematch · 24ac271a
      Cong Wang authored
      [ Upstream commit 61678d28 ]
      
      syzbot reported an out-of-bound access in em_nbyte. As initially
      analyzed by Eric, this is because em_nbyte sets its own em->datalen
      in em_nbyte_change() other than the one specified by user, but this
      value gets overwritten later by its caller tcf_em_validate().
      We should leave em->datalen untouched to respect their choices.
      
      I audit all the in-tree ematch users, all of those implement
      ->change() set em->datalen, so we can just avoid setting it twice
      in this case.
      
      Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
      Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
      Fixes: 1da177e4
      
       ("Linux-2.6.12-rc2")
      Cc: Eric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24ac271a