1. 22 Jul, 2020 7 commits
    • Martin Varghese's avatar
      net: Added pointer check for dst->ops->neigh_lookup in dst_neigh_lookup_skb · 5c6e5496
      Martin Varghese authored
      [ Upstream commit 394de110 ]
      
      The packets from tunnel devices (eg bareudp) may have only
      metadata in the dst pointer of skb. Hence a pointer check of
      neigh_lookup is needed in dst_neigh_lookup_skb
      
      Kernel crashes when packets from bareudp device is processed in
      the kernel neighbour subsytem.
      
      [  133.384484] BUG: kernel NULL pointer dereference, address: 0000000000000000
      [  133.385240] #PF: supervisor instruction fetch in kernel mode
      [  133.385828] #PF: error_code(0x0010) - not-present page
      [  133.386603] PGD 0 P4D 0
      [  133.386875] Oops: 0010 [#1] SMP PTI
      [  133.387275] CPU: 0 PID: 5045 Comm: ping Tainted: G        W         5.8.0-rc2+ #15
      [  133.388052] Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
      [  133.391076] RIP: 0010:0x0
      [  133.392401] Code: Bad RIP value.
      [  133.394029] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246
      [  133.396656] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00
      [  133.399018] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400
      [  133.399685] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000
      [  133.400350] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400
      [  133.401010] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003
      [  133.401667] FS:  00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000
      [  133.402412] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  133.402948] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0
      [  133.403611] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  133.404270] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  133.404933] Call Trace:
      [  133.405169]  <IRQ>
      [  133.405367]  __neigh_update+0x5a4/0x8f0
      [  133.405734]  arp_process+0x294/0x820
      [  133.406076]  ? __netif_receive_skb_core+0x866/0xe70
      [  133.406557]  arp_rcv+0x129/0x1c0
      [  133.406882]  __netif_receive_skb_one_core+0x95/0xb0
      [  133.407340]  process_backlog+0xa7/0x150
      [  133.407705]  net_rx_action+0x2af/0x420
      [  133.408457]  __do_softirq+0xda/0x2a8
      [  133.408813]  asm_call_on_stack+0x12/0x20
      [  133.409290]  </IRQ>
      [  133.409519]  do_softirq_own_stack+0x39/0x50
      [  133.410036]  do_softirq+0x50/0x60
      [  133.410401]  __local_bh_enable_ip+0x50/0x60
      [  133.410871]  ip_finish_output2+0x195/0x530
      [  133.411288]  ip_output+0x72/0xf0
      [  133.411673]  ? __ip_finish_output+0x1f0/0x1f0
      [  133.412122]  ip_send_skb+0x15/0x40
      [  133.412471]  raw_sendmsg+0x853/0xab0
      [  133.412855]  ? insert_pfn+0xfe/0x270
      [  133.413827]  ? vvar_fault+0xec/0x190
      [  133.414772]  sock_sendmsg+0x57/0x80
      [  133.415685]  __sys_sendto+0xdc/0x160
      [  133.416605]  ? syscall_trace_enter+0x1d4/0x2b0
      [  133.417679]  ? __audit_syscall_exit+0x1d9/0x280
      [  133.418753]  ? __prepare_exit_to_usermode+0x5d/0x1a0
      [  133.419819]  __x64_sys_sendto+0x24/0x30
      [  133.420848]  do_syscall_64+0x4d/0x90
      [  133.421768]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  133.422833] RIP: 0033:0x7fe013689c03
      [  133.423749] Code: Bad RIP value.
      [  133.424624] RSP: 002b:00007ffc7288f418 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
      [  133.425940] RAX: ffffffffffffffda RBX: 000056151fc63720 RCX: 00007fe013689c03
      [  133.427225] RDX: 0000000000000040 RSI: 000056151fc63720 RDI: 0000000000000003
      [  133.428481] RBP: 00007ffc72890b30 R08: 000056151fc60500 R09: 0000000000000010
      [  133.429757] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000040
      [  133.431041] R13: 000056151fc636e0 R14: 000056151fc616bc R15: 0000000000000080
      [  133.432481] Modules linked in: mpls_iptunnel act_mirred act_tunnel_key cls_flower sch_ingress veth mpls_router ip_tunnel bareudp ip6_udp_tunnel udp_tunnel macsec udp_diag inet_diag unix_diag af_packet_diag netlink_diag binfmt_misc xt_MASQUERADE iptable_nat xt_addrtype xt_conntrack nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 br_netfilter bridge stp llc ebtable_filter ebtables overlay ip6table_filter ip6_tables iptable_filter sunrpc ext4 mbcache jbd2 pcspkr i2c_piix4 virtio_balloon joydev ip_tables xfs libcrc32c ata_generic qxl pata_acpi drm_ttm_helper ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm ata_piix libata virtio_net net_failover virtio_console failover virtio_blk i2c_core virtio_pci virtio_ring serio_raw floppy virtio dm_mirror dm_region_hash dm_log dm_mod
      [  133.444045] CR2: 0000000000000000
      [  133.445082] ---[ end trace f4aeee1958fd1638 ]---
      [  133.446236] RIP: 0010:0x0
      [  133.447180] Code: Bad RIP value.
      [  133.448152] RSP: 0018:ffffb79980003d50 EFLAGS: 00010246
      [  133.449363] RAX: 0000000080000102 RBX: ffff9de2fe0d6600 RCX: ffff9de2fe5e9d00
      [  133.450835] RDX: 0000000000000000 RSI: ffff9de2fe5e9d00 RDI: ffff9de2fc21b400
      [  133.452237] RBP: ffff9de2fe5e9d00 R08: 0000000000000000 R09: 0000000000000000
      [  133.453722] R10: ffff9de2fbc6be22 R11: ffff9de2fe0d6600 R12: ffff9de2fc21b400
      [  133.455149] R13: ffff9de2fe0d6628 R14: 0000000000000001 R15: 0000000000000003
      [  133.456520] FS:  00007fe014918740(0000) GS:ffff9de2fec00000(0000) knlGS:0000000000000000
      [  133.458046] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  133.459342] CR2: ffffffffffffffd6 CR3: 000000003bb72000 CR4: 00000000000006f0
      [  133.460782] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  133.462240] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  133.463697] Kernel panic - not syncing: Fatal exception in interrupt
      [  133.465226] Kernel Offset: 0xfa00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
      [  133.467025] ---[ end Kernel panic - not syncing: Fatal exception in interrupt ]---
      
      Fixes: aaa0c23c ("Fix dst_neigh_lookup/dst_neigh_lookup_skb return value handling bug")
      Signed-off-by: default avatarMartin Varghese <martin.varghese@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5c6e5496
    • Eric Dumazet's avatar
      llc: make sure applications use ARPHRD_ETHER · f58328d7
      Eric Dumazet authored
      [ Upstream commit a9b11101 ]
      
      syzbot was to trigger a bug by tricking AF_LLC with
      non sensible addr->sllc_arphrd
      
      It seems clear LLC requires an Ethernet device.
      
      Back in commit abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Octavian Purdila added possibility for application to use a zero
      value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause
      regressions on existing applications.
      
      BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline]
      BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline]
      BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline]
      BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline]
      BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline]
      BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813
      Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27
      
      CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x197/0x210 lib/dump_stack.c:118
       print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
       __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
       kasan_report+0x12/0x20 mm/kasan/common.c:639
       __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
       __read_once_size include/linux/compiler.h:199 [inline]
       list_empty include/linux/list.h:268 [inline]
       waitqueue_active include/linux/wait.h:126 [inline]
       wq_has_sleeper include/linux/wait.h:160 [inline]
       skwq_has_sleeper include/net/sock.h:2092 [inline]
       sock_def_write_space+0x642/0x670 net/core/sock.c:2813
       sock_wfree+0x1e1/0x260 net/core/sock.c:1958
       skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652
       skb_release_all+0x16/0x60 net/core/skbuff.c:663
       __kfree_skb net/core/skbuff.c:679 [inline]
       consume_skb net/core/skbuff.c:838 [inline]
       consume_skb+0xfb/0x410 net/core/skbuff.c:832
       __dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967
       dev_kfree_skb_any include/linux/netdevice.h:3650 [inline]
       e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963
       e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline]
       e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796
       napi_poll net/core/dev.c:6532 [inline]
       net_rx_action+0x508/0x1120 net/core/dev.c:6600
       __do_softirq+0x262/0x98c kernel/softirq.c:292
       run_ksoftirqd kernel/softirq.c:603 [inline]
       run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
       smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      
      Allocated by task 8247:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       __kasan_kmalloc mm/kasan/common.c:513 [inline]
       __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
       kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
       slab_post_alloc_hook mm/slab.h:584 [inline]
       slab_alloc mm/slab.c:3320 [inline]
       kmem_cache_alloc+0x121/0x710 mm/slab.c:3484
       sock_alloc_inode+0x1c/0x1d0 net/socket.c:240
       alloc_inode+0x68/0x1e0 fs/inode.c:230
       new_inode_pseudo+0x19/0xf0 fs/inode.c:919
       sock_alloc+0x41/0x270 net/socket.c:560
       __sock_create+0xc2/0x730 net/socket.c:1384
       sock_create net/socket.c:1471 [inline]
       __sys_socket+0x103/0x220 net/socket.c:1513
       __do_sys_socket net/socket.c:1522 [inline]
       __se_sys_socket net/socket.c:1520 [inline]
       __ia32_sys_socket+0x73/0xb0 net/socket.c:1520
       do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
       do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
       entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
      
      Freed by task 17:
       save_stack+0x23/0x90 mm/kasan/common.c:72
       set_track mm/kasan/common.c:80 [inline]
       kasan_set_free_info mm/kasan/common.c:335 [inline]
       __kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
       kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
       __cache_free mm/slab.c:3426 [inline]
       kmem_cache_free+0x86/0x320 mm/slab.c:3694
       sock_free_inode+0x20/0x30 net/socket.c:261
       i_callback+0x44/0x80 fs/inode.c:219
       __rcu_reclaim kernel/rcu/rcu.h:222 [inline]
       rcu_do_batch kernel/rcu/tree.c:2183 [inline]
       rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408
       rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417
       __do_softirq+0x262/0x98c kernel/softirq.c:292
      
      The buggy address belongs to the object at ffff88801e0b4000
       which belongs to the cache sock_inode_cache of size 1152
      The buggy address is located 120 bytes inside of
       1152-byte region [ffff88801e0b4000, ffff88801e0b4480)
      The buggy address belongs to the page:
      page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd
      raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40
      raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
       ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      >ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                                      ^
       ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      
      Fixes: abf9d537 ("llc: add support for SO_BINDTODEVICE")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f58328d7
    • Xin Long's avatar
      l2tp: remove skb_dst_set() from l2tp_xmit_skb() · a0400bbe
      Xin Long authored
      [ Upstream commit 27d53323 ]
      
      In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set
      skb's dst. However, it will eventually call inet6_csk_xmit() or
      ip_queue_xmit() where skb's dst will be overwritten by:
      
         skb_dst_set_noref(skb, dst);
      
      without releasing the old dst in skb. Then it causes dst/dev refcnt leak:
      
        unregister_netdevice: waiting for eth0 to become free. Usage count = 1
      
      This can be reproduced by simply running:
      
        # modprobe l2tp_eth && modprobe l2tp_ip
        # sh ./tools/testing/selftests/net/l2tp.sh
      
      So before going to inet6_csk_xmit() or ip_queue_xmit(), skb's dst
      should be dropped. This patch is to fix it by removing skb_dst_set()
      from l2tp_xmit_skb() and moving skb_dst_drop() into l2tp_xmit_core().
      
      Fixes: 3557baab ("[L2TP]: PPP over L2TP driver core")
      Reported-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJames Chapman <jchapman@katalix.com>
      Tested-by: default avatarJames Chapman <jchapman@katalix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0400bbe
    • Sabrina Dubroca's avatar
      ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg · 5e8f49ed
      Sabrina Dubroca authored
      [ Upstream commit 5eff0690 ]
      
      IPv4 ping sockets don't set fl4.fl4_icmp_{type,code}, which leads to
      incomplete IPsec ACQUIRE messages being sent to userspace. Currently,
      both raw sockets and IPv6 ping sockets set those fields.
      
      Expected output of "ip xfrm monitor":
          acquire proto esp
            sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 8 code 0 dev ens4
            policy src 10.0.2.15/32 dst 8.8.8.8/32
              <snip>
      
      Currently with ping sockets:
          acquire proto esp
            sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 0 code 0 dev ens4
            policy src 10.0.2.15/32 dst 8.8.8.8/32
              <snip>
      
      The Libreswan test suite found this problem after Fedora changed the
      value for the sysctl net.ipv4.ping_group_range.
      
      Fixes: c319b4d7 ("net: ipv4: add IPPROTO_ICMP socket kind")
      Reported-by: default avatarPaul Wouters <pwouters@redhat.com>
      Tested-by: default avatarPaul Wouters <pwouters@redhat.com>
      Signed-off-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e8f49ed
    • Sean Tranchetti's avatar
      genetlink: remove genl_bind · 0845447d
      Sean Tranchetti authored
      [ Upstream commit 1e82a62f ]
      
      A potential deadlock can occur during registering or unregistering a
      new generic netlink family between the main nl_table_lock and the
      cb_lock where each thread wants the lock held by the other, as
      demonstrated below.
      
      1) Thread 1 is performing a netlink_bind() operation on a socket. As part
         of this call, it will call netlink_lock_table(), incrementing the
         nl_table_users count to 1.
      2) Thread 2 is registering (or unregistering) a genl_family via the
         genl_(un)register_family() API. The cb_lock semaphore will be taken for
         writing.
      3) Thread 1 will call genl_bind() as part of the bind operation to handle
         subscribing to GENL multicast groups at the request of the user. It will
         attempt to take the cb_lock semaphore for reading, but it will fail and
         be scheduled away, waiting for Thread 2 to finish the write.
      4) Thread 2 will call netlink_table_grab() during the (un)registration
         call. However, as Thread 1 has incremented nl_table_users, it will not
         be able to proceed, and both threads will be stuck waiting for the
         other.
      
      genl_bind() is a noop, unless a genl_family implements the mcast_bind()
      function to handle setting up family-specific multicast operations. Since
      no one in-tree uses this functionality as Cong pointed out, simply removing
      the genl_bind() function will remove the possibility for deadlock, as there
      is no attempt by Thread 1 above to take the cb_lock semaphore.
      
      Fixes: c380d9a7 ("genetlink: pass multicast bind/unbind to families")
      Suggested-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Signed-off-by: default avatarSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0845447d
    • Taehee Yoo's avatar
      net: rmnet: fix lower interface leak · cf7318b7
      Taehee Yoo authored
      commit 2a762e9e upstream.
      
      There are two types of the lower interface of rmnet that are VND
      and BRIDGE.
      Each lower interface can have only one type either VND or BRIDGE.
      But, there is a case, which uses both lower interface types.
      Due to this unexpected behavior, lower interface leak occurs.
      
      Test commands:
          ip link add dummy0 type dummy
          ip link add dummy1 type dummy
          ip link add rmnet0 link dummy0 type rmnet mux_id 1
          ip link set dummy1 master rmnet0
          ip link add rmnet1 link dummy1 type rmnet mux_id 2
          ip link del rmnet0
      
      The dummy1 was attached as BRIDGE interface of rmnet0.
      Then, it also was attached as VND interface of rmnet1.
      This is unexpected behavior and there is no code for handling this case.
      So that below splat occurs when the rmnet0 interface is deleted.
      
      Splat looks like:
      [   53.254112][    C1] WARNING: CPU: 1 PID: 1192 at net/core/dev.c:8992 rollback_registered_many+0x986/0xcf0
      [   53.254117][    C1] Modules linked in: rmnet dummy openvswitch nsh nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nfx
      [   53.254182][    C1] CPU: 1 PID: 1192 Comm: ip Not tainted 5.8.0-rc1+ #620
      [   53.254188][    C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
      [   53.254192][    C1] RIP: 0010:rollback_registered_many+0x986/0xcf0
      [   53.254200][    C1] Code: 41 8b 4e cc 45 31 c0 31 d2 4c 89 ee 48 89 df e8 e0 47 ff ff 85 c0 0f 84 cd fc ff ff 0f 0b e5
      [   53.254205][    C1] RSP: 0018:ffff888050a5f2e0 EFLAGS: 00010287
      [   53.254214][    C1] RAX: ffff88805756d658 RBX: ffff88804d99c000 RCX: ffffffff8329d323
      [   53.254219][    C1] RDX: 1ffffffff0be6410 RSI: 0000000000000008 RDI: ffffffff85f32080
      [   53.254223][    C1] RBP: dffffc0000000000 R08: fffffbfff0be6411 R09: fffffbfff0be6411
      [   53.254228][    C1] R10: ffffffff85f32087 R11: 0000000000000001 R12: ffff888050a5f480
      [   53.254233][    C1] R13: ffff88804d99c0b8 R14: ffff888050a5f400 R15: ffff8880548ebe40
      [   53.254238][    C1] FS:  00007f6b86b370c0(0000) GS:ffff88806c200000(0000) knlGS:0000000000000000
      [   53.254243][    C1] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   53.254248][    C1] CR2: 0000562c62438758 CR3: 000000003f600005 CR4: 00000000000606e0
      [   53.254253][    C1] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [   53.254257][    C1] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [   53.254261][    C1] Call Trace:
      [   53.254266][    C1]  ? lockdep_hardirqs_on_prepare+0x379/0x540
      [   53.254270][    C1]  ? netif_set_real_num_tx_queues+0x780/0x780
      [   53.254275][    C1]  ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
      [   53.254279][    C1]  ? __kasan_slab_free+0x126/0x150
      [   53.254283][    C1]  ? kfree+0xdc/0x320
      [   53.254288][    C1]  ? rmnet_unregister_real_device+0x56/0x90 [rmnet]
      [   53.254293][    C1]  unregister_netdevice_many.part.135+0x13/0x1b0
      [   53.254297][    C1]  rtnl_delete_link+0xbc/0x100
      [   53.254301][    C1]  ? rtnl_af_register+0xc0/0xc0
      [   53.254305][    C1]  rtnl_dellink+0x2dc/0x840
      [   53.254309][    C1]  ? find_held_lock+0x39/0x1d0
      [   53.254314][    C1]  ? valid_fdb_dump_strict+0x620/0x620
      [   53.254318][    C1]  ? rtnetlink_rcv_msg+0x457/0x890
      [   53.254322][    C1]  ? lock_contended+0xd20/0xd20
      [   53.254326][    C1]  rtnetlink_rcv_msg+0x4a8/0x890
      [ ... ]
      [   73.813696][ T1192] unregister_netdevice: waiting for rmnet0 to become free. Usage count = 1
      
      Fixes: 037f9cdf ("net: rmnet: use upper/lower device infrastructure")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cf7318b7
    • Changbin Du's avatar
      perf: Make perf able to build with latest libbfd · 0753b05c
      Changbin Du authored
      commit 0ada120c upstream.
      
      libbfd has changed the bfd_section_* macros to inline functions
      bfd_section_<field> since 2019-09-18. See below two commits:
        o http://www.sourceware.org/ml/gdb-cvs/2019-09/msg00064.html
        o https://www.sourceware.org/ml/gdb-cvs/2019-09/msg00072.html
      
      This fix make perf able to build with both old and new libbfd.
      Signed-off-by: default avatarChangbin Du <changbin.du@gmail.com>
      Acked-by: default avatarJiri Olsa <jolsa@redhat.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lore.kernel.org/lkml/20200128152938.31413-1-changbin.du@gmail.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jianmin Wang <jianmin@iscas.ac.cn>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0753b05c
  2. 16 Jul, 2020 33 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.133 · 17a87580
      Greg Kroah-Hartman authored
      17a87580
    • Janosch Frank's avatar
      s390/mm: fix huge pte soft dirty copying · 1a575164
      Janosch Frank authored
      commit 528a9539 upstream.
      
      If the pmd is soft dirty we must mark the pte as soft dirty (and not dirty).
      This fixes some cases for guest migration with huge page backings.
      
      Cc: <stable@vger.kernel.org> # 4.8
      Fixes: bc29b7ac ("s390/mm: clean up pte/pmd encoding")
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarJanosch Frank <frankja@linux.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1a575164
    • Vineet Gupta's avatar
      ARC: elf: use right ELF_ARCH · 391a502e
      Vineet Gupta authored
      commit b7faf971 upstream.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      391a502e
    • Vineet Gupta's avatar
      ARC: entry: fix potential EFA clobber when TIF_SYSCALL_TRACE · 01b636cb
      Vineet Gupta authored
      commit 00fdec98 upstream.
      
      Trap handler for syscall tracing reads EFA (Exception Fault Address),
      in case strace wants PC of trap instruction (EFA is not part of pt_regs
      as of current code).
      
      However this EFA read is racy as it happens after dropping to pure
      kernel mode (re-enabling interrupts). A taken interrupt could
      context-switch, trigger a different task's trap, clobbering EFA for this
      execution context.
      
      Fix this by reading EFA early, before re-enabling interrupts. A slight
      side benefit is de-duplication of FAKE_RET_FROM_EXCPN in trap handler.
      The trap handler is common to both ARCompact and ARCv2 builds too.
      
      This just came out of code rework/review and no real problem was reported
      but is clearly a potential problem specially for strace.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarVineet Gupta <vgupta@synopsys.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01b636cb
    • Mikulas Patocka's avatar
      dm: use noio when sending kobject event · 35a9af8d
      Mikulas Patocka authored
      commit 6958c1c6 upstream.
      
      kobject_uevent may allocate memory and it may be called while there are dm
      devices suspended. The allocation may recurse into a suspended device,
      causing a deadlock. We must set the noio flag when sending a uevent.
      
      The observed deadlock was reported here:
      https://www.redhat.com/archives/dm-devel/2020-March/msg00025.htmlReported-by: default avatarKhazhismel Kumykov <khazhy@google.com>
      Reported-by: default avatarTahsin Erdogan <tahsin@google.com>
      Reported-by: default avatarGabriel Krisman Bertazi <krisman@collabora.com>
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      35a9af8d
    • Tom Rix's avatar
      drm/radeon: fix double free · 8e5d3786
      Tom Rix authored
      commit 41855a89 upstream.
      
      clang static analysis flags this error
      
      drivers/gpu/drm/radeon/ci_dpm.c:5652:9: warning: Use of memory after it is freed [unix.Malloc]
                      kfree(rdev->pm.dpm.ps[i].ps_priv);
                            ^~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/gpu/drm/radeon/ci_dpm.c:5654:2: warning: Attempt to free released memory [unix.Malloc]
              kfree(rdev->pm.dpm.ps);
              ^~~~~~~~~~~~~~~~~~~~~~
      
      problem is reported in ci_dpm_fini, with these code blocks.
      
      	for (i = 0; i < rdev->pm.dpm.num_ps; i++) {
      		kfree(rdev->pm.dpm.ps[i].ps_priv);
      	}
      	kfree(rdev->pm.dpm.ps);
      
      The first free happens in ci_parse_power_table where it cleans up locally
      on a failure.  ci_dpm_fini also does a cleanup.
      
      	ret = ci_parse_power_table(rdev);
      	if (ret) {
      		ci_dpm_fini(rdev);
      		return ret;
      	}
      
      So remove the cleanup in ci_parse_power_table and
      move the num_ps calculation to inside the loop so ci_dpm_fini
      will know how many array elements to free.
      
      Fixes: cc8dbbb4 ("drm/radeon: add dpm support for CI dGPUs (v2)")
      Signed-off-by: default avatarTom Rix <trix@redhat.com>
      Signed-off-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e5d3786
    • Boris Burkov's avatar
      btrfs: fix fatal extent_buffer readahead vs releasepage race · 8ee03580
      Boris Burkov authored
      commit 6bf9cd2e upstream.
      
      Under somewhat convoluted conditions, it is possible to attempt to
      release an extent_buffer that is under io, which triggers a BUG_ON in
      btrfs_release_extent_buffer_pages.
      
      This relies on a few different factors. First, extent_buffer reads done
      as readahead for searching use WAIT_NONE, so they free the local extent
      buffer reference while the io is outstanding. However, they should still
      be protected by TREE_REF. However, if the system is doing signficant
      reclaim, and simultaneously heavily accessing the extent_buffers, it is
      possible for releasepage to race with two concurrent readahead attempts
      in a way that leaves TREE_REF unset when the readahead extent buffer is
      released.
      
      Essentially, if two tasks race to allocate a new extent_buffer, but the
      winner who attempts the first io is rebuffed by a page being locked
      (likely by the reclaim itself) then the loser will still go ahead with
      issuing the readahead. The loser's call to find_extent_buffer must also
      race with the reclaim task reading the extent_buffer's refcount as 1 in
      a way that allows the reclaim to re-clear the TREE_REF checked by
      find_extent_buffer.
      
      The following represents an example execution demonstrating the race:
      
                  CPU0                                                         CPU1                                           CPU2
      reada_for_search                                            reada_for_search
        readahead_tree_block                                        readahead_tree_block
          find_create_tree_block                                      find_create_tree_block
            alloc_extent_buffer                                         alloc_extent_buffer
                                                                        find_extent_buffer // not found
                                                                        allocates eb
                                                                        lock pages
                                                                        associate pages to eb
                                                                        insert eb into radix tree
                                                                        set TREE_REF, refs == 2
                                                                        unlock pages
                                                                    read_extent_buffer_pages // WAIT_NONE
                                                                      not uptodate (brand new eb)
                                                                                                                  lock_page
                                                                      if !trylock_page
                                                                        goto unlock_exit // not an error
                                                                    free_extent_buffer
                                                                      release_extent_buffer
                                                                        atomic_dec_and_test refs to 1
              find_extent_buffer // found
                                                                                                                  try_release_extent_buffer
                                                                                                                    take refs_lock
                                                                                                                    reads refs == 1; no io
                atomic_inc_not_zero refs to 2
                mark_buffer_accessed
                  check_buffer_tree_ref
                    // not STALE, won't take refs_lock
                    refs == 2; TREE_REF set // no action
          read_extent_buffer_pages // WAIT_NONE
                                                                                                                    clear TREE_REF
                                                                                                                    release_extent_buffer
                                                                                                                      atomic_dec_and_test refs to 1
                                                                                                                      unlock_page
            still not uptodate (CPU1 read failed on trylock_page)
            locks pages
            set io_pages > 0
            submit io
            return
          free_extent_buffer
            release_extent_buffer
              dec refs to 0
              delete from radix tree
              btrfs_release_extent_buffer_pages
                BUG_ON(io_pages > 0)!!!
      
      We observe this at a very low rate in production and were also able to
      reproduce it in a test environment by introducing some spurious delays
      and by introducing probabilistic trylock_page failures.
      
      To fix it, we apply check_tree_ref at a point where it could not
      possibly be unset by a competing task: after io_pages has been
      incremented. All the codepaths that clear TREE_REF check for io, so they
      would not be able to clear it after this point until the io is done.
      
      Stack trace, for reference:
      [1417839.424739] ------------[ cut here ]------------
      [1417839.435328] kernel BUG at fs/btrfs/extent_io.c:4841!
      [1417839.447024] invalid opcode: 0000 [#1] SMP
      [1417839.502972] RIP: 0010:btrfs_release_extent_buffer_pages+0x20/0x1f0
      [1417839.517008] Code: ed e9 ...
      [1417839.558895] RSP: 0018:ffffc90020bcf798 EFLAGS: 00010202
      [1417839.570816] RAX: 0000000000000002 RBX: ffff888102d6def0 RCX: 0000000000000028
      [1417839.586962] RDX: 0000000000000002 RSI: ffff8887f0296482 RDI: ffff888102d6def0
      [1417839.603108] RBP: ffff88885664a000 R08: 0000000000000046 R09: 0000000000000238
      [1417839.619255] R10: 0000000000000028 R11: ffff88885664af68 R12: 0000000000000000
      [1417839.635402] R13: 0000000000000000 R14: ffff88875f573ad0 R15: ffff888797aafd90
      [1417839.651549] FS:  00007f5a844fa700(0000) GS:ffff88885f680000(0000) knlGS:0000000000000000
      [1417839.669810] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [1417839.682887] CR2: 00007f7884541fe0 CR3: 000000049f609002 CR4: 00000000003606e0
      [1417839.699037] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [1417839.715187] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [1417839.731320] Call Trace:
      [1417839.737103]  release_extent_buffer+0x39/0x90
      [1417839.746913]  read_block_for_search.isra.38+0x2a3/0x370
      [1417839.758645]  btrfs_search_slot+0x260/0x9b0
      [1417839.768054]  btrfs_lookup_file_extent+0x4a/0x70
      [1417839.778427]  btrfs_get_extent+0x15f/0x830
      [1417839.787665]  ? submit_extent_page+0xc4/0x1c0
      [1417839.797474]  ? __do_readpage+0x299/0x7a0
      [1417839.806515]  __do_readpage+0x33b/0x7a0
      [1417839.815171]  ? btrfs_releasepage+0x70/0x70
      [1417839.824597]  extent_readpages+0x28f/0x400
      [1417839.833836]  read_pages+0x6a/0x1c0
      [1417839.841729]  ? startup_64+0x2/0x30
      [1417839.849624]  __do_page_cache_readahead+0x13c/0x1a0
      [1417839.860590]  filemap_fault+0x6c7/0x990
      [1417839.869252]  ? xas_load+0x8/0x80
      [1417839.876756]  ? xas_find+0x150/0x190
      [1417839.884839]  ? filemap_map_pages+0x295/0x3b0
      [1417839.894652]  __do_fault+0x32/0x110
      [1417839.902540]  __handle_mm_fault+0xacd/0x1000
      [1417839.912156]  handle_mm_fault+0xaa/0x1c0
      [1417839.921004]  __do_page_fault+0x242/0x4b0
      [1417839.930044]  ? page_fault+0x8/0x30
      [1417839.937933]  page_fault+0x1e/0x30
      [1417839.945631] RIP: 0033:0x33c4bae
      [1417839.952927] Code: Bad RIP value.
      [1417839.960411] RSP: 002b:00007f5a844f7350 EFLAGS: 00010206
      [1417839.972331] RAX: 000000000000006e RBX: 1614b3ff6a50398a RCX: 0000000000000000
      [1417839.988477] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000002
      [1417840.004626] RBP: 00007f5a844f7420 R08: 000000000000006e R09: 00007f5a94aeccb8
      [1417840.020784] R10: 00007f5a844f7350 R11: 0000000000000000 R12: 00007f5a94aecc79
      [1417840.036932] R13: 00007f5a94aecc78 R14: 00007f5a94aecc90 R15: 00007f5a94aecc40
      
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarBoris Burkov <boris@bur.io>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8ee03580
    • Greg Kroah-Hartman's avatar
      Revert "ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb" · 54d2495b
      Greg Kroah-Hartman authored
      This reverts commit bdf4d37b which is
      commit 2bbcaaee upstream.
      
      It is being reverted upstream, just hasn't made it there yet and is
      causing lots of problems.
      Reported-by: default avatarHans de Goede <hdegoede@redhat.com>
      Cc: Qiujun Huang <hqjagain@gmail.com>
      Cc: Kalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54d2495b
    • Kees Cook's avatar
      bpf: Check correct cred for CAP_SYSLOG in bpf_dump_raw_ok() · b80e052c
      Kees Cook authored
      commit 63960260 upstream.
      
      When evaluating access control over kallsyms visibility, credentials at
      open() time need to be used, not the "current" creds (though in BPF's
      case, this has likely always been the same). Plumb access to associated
      file->f_cred down through bpf_dump_raw_ok() and its callers now that
      kallsysm_show_value() has been refactored to take struct cred.
      
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: bpf@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: 7105e828 ("bpf: allow for correlation of maps and helpers in dump")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b80e052c
    • Kees Cook's avatar
      kprobes: Do not expose probe addresses to non-CAP_SYSLOG · bff4fad8
      Kees Cook authored
      commit 60f7bb66 upstream.
      
      The kprobe show() functions were using "current"'s creds instead
      of the file opener's creds for kallsyms visibility. Fix to use
      seq_file->file->f_cred.
      
      Cc: Masami Hiramatsu <mhiramat@kernel.org>
      Cc: stable@vger.kernel.org
      Fixes: 81365a94 ("kprobes: Show address of kprobes if kallsyms does")
      Fixes: ffb9bd68 ("kprobes: Show blacklist addresses as same as kallsyms does")
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bff4fad8
    • Kees Cook's avatar
      module: Do not expose section addresses to non-CAP_SYSLOG · c744568a
      Kees Cook authored
      commit b25a7c5a upstream.
      
      The printing of section addresses in /sys/module/*/sections/* was not
      using the correct credentials to evaluate visibility.
      
      Before:
      
       # cat /sys/module/*/sections/.*text
       0xffffffffc0458000
       ...
       # capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
       0xffffffffc0458000
       ...
      
      After:
      
       # cat /sys/module/*/sections/*.text
       0xffffffffc0458000
       ...
       # capsh --drop=CAP_SYSLOG -- -c "cat /sys/module/*/sections/.*text"
       0x0000000000000000
       ...
      
      Additionally replaces the existing (safe) /proc/modules check with
      file->f_cred for consistency.
      Reported-by: default avatarDominik Czarnota <dominik.czarnota@trailofbits.com>
      Fixes: be71eda5 ("module: Fix display of wrong module .text address")
      Cc: stable@vger.kernel.org
      Tested-by: default avatarJessica Yu <jeyu@kernel.org>
      Acked-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c744568a
    • Kees Cook's avatar
      module: Refactor section attr into bin attribute · bbd10824
      Kees Cook authored
      commit ed66f991 upstream.
      
      In order to gain access to the open file's f_cred for kallsym visibility
      permission checks, refactor the module section attributes to use the
      bin_attribute instead of attribute interface. Additionally removes the
      redundant "name" struct member.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Tested-by: default avatarJessica Yu <jeyu@kernel.org>
      Acked-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbd10824
    • Gustavo A. R. Silva's avatar
      kernel: module: Use struct_size() helper · 2bcda838
      Gustavo A. R. Silva authored
      commit 8d1b73dd upstream.
      
      One of the more common cases of allocation size calculations is finding
      the size of a structure that has a zero-sized array at the end, along
      with memory for some number of elements for that array. For example:
      
      struct module_sect_attrs {
      	...
              struct module_sect_attr attrs[0];
      };
      
      Make use of the struct_size() helper instead of an open-coded version
      in order to avoid any potential type mistakes.
      
      So, replace the following form:
      
      sizeof(*sect_attrs) + nloaded * sizeof(sect_attrs->attrs[0]
      
      with:
      
      struct_size(sect_attrs, attrs, nloaded)
      
      This code was detected with the help of Coccinelle.
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2bcda838
    • Kees Cook's avatar
      kallsyms: Refactor kallsyms_show_value() to take cred · ebce5c1f
      Kees Cook authored
      commit 16025184 upstream.
      
      In order to perform future tests against the cred saved during open(),
      switch kallsyms_show_value() to operate on a cred, and have all current
      callers pass current_cred(). This makes it very obvious where callers
      are checking the wrong credential in their "read" contexts. These will
      be fixed in the coming patches.
      
      Additionally switch return value to bool, since it is always used as a
      direct permission check, not a 0-on-success, negative-on-error style
      function return.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ebce5c1f
    • Sean Christopherson's avatar
      KVM: x86: Mark CR4.TSD as being possibly owned by the guest · 80d94538
      Sean Christopherson authored
      commit 7c83d096 upstream.
      
      Mark CR4.TSD as being possibly owned by the guest as that is indeed the
      case on VMX.  Without TSD being tagged as possibly owned by the guest, a
      targeted read of CR4 to get TSD could observe a stale value.  This bug
      is benign in the current code base as the sole consumer of TSD is the
      emulator (for RDTSC) and the emulator always "reads" the entirety of CR4
      when grabbing bits.
      
      Add a build-time assertion in to ensure VMX doesn't hand over more CR4
      bits without also updating x86.
      
      Fixes: 52ce3c21 ("x86,kvm,vmx: Don't trap writes to CR4.TSD")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Message-Id: <20200703040422.31536-2-sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      80d94538
    • Sean Christopherson's avatar
      KVM: x86: Inject #GP if guest attempts to toggle CR4.LA57 in 64-bit mode · e810c517
      Sean Christopherson authored
      commit d74fcfc1 upstream.
      
      Inject a #GP on MOV CR4 if CR4.LA57 is toggled in 64-bit mode, which is
      illegal per Intel's SDM:
      
        CR4.LA57
          57-bit linear addresses (bit 12 of CR4) ... blah blah blah ...
          This bit cannot be modified in IA-32e mode.
      
      Note, the pseudocode for MOV CR doesn't call out the fault condition,
      which is likely why the check was missed during initial development.
      This is arguably an SDM bug and will hopefully be fixed in future
      release of the SDM.
      
      Fixes: fd8cb433 ("KVM: MMU: Expose the LA57 feature to VM.")
      Cc: stable@vger.kernel.org
      Reported-by: default avatarSebastien Boeuf <sebastien.boeuf@intel.com>
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Message-Id: <20200703021714.5549-1-sean.j.christopherson@intel.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e810c517
    • Paolo Bonzini's avatar
      KVM: x86: bit 8 of non-leaf PDPEs is not reserved · c937fabd
      Paolo Bonzini authored
      commit 5ecad245 upstream.
      
      Bit 8 would be the "global" bit, which does not quite make sense for non-leaf
      page table entries.  Intel ignores it; AMD ignores it in PDEs and PDPEs, but
      reserves it in PML4Es.
      
      Probably, earlier versions of the AMD manual documented it as reserved in PDPEs
      as well, and that behavior made it into KVM as well as kvm-unit-tests; fix it.
      
      Cc: stable@vger.kernel.org
      Reported-by: default avatarNadav Amit <namit@vmware.com>
      Fixes: a0c0feb5 ("KVM: x86: reserve bit 8 of non-leaf PDPEs and PML4Es in 64-bit mode on AMD", 2014-09-03)
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c937fabd
    • Andrew Scull's avatar
      KVM: arm64: Stop clobbering x0 for HVC_SOFT_RESTART · fa81b25a
      Andrew Scull authored
      commit b9e10d4a upstream.
      
      HVC_SOFT_RESTART is given values for x0-2 that it should installed
      before exiting to the new address so should not set x0 to stub HVC
      success or failure code.
      
      Fixes: af42f204 ("arm64: hyp-stub: Zero x0 on successful stub handling")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAndrew Scull <ascull@google.com>
      Signed-off-by: default avatarMarc Zyngier <maz@kernel.org>
      Link: https://lore.kernel.org/r/20200706095259.1338221-1-ascull@google.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fa81b25a
    • Will Deacon's avatar
      KVM: arm64: Fix definition of PAGE_HYP_DEVICE · 27ce7d1c
      Will Deacon authored
      commit 68cf6173 upstream.
      
      PAGE_HYP_DEVICE is intended to encode attribute bits for an EL2 stage-1
      pte mapping a device. Unfortunately, it includes PROT_DEVICE_nGnRE which
      encodes attributes for EL1 stage-1 mappings such as UXN and nG, which are
      RES0 for EL2, and DBM which is meaningless as TCR_EL2.HD is not set.
      
      Fix the definition of PAGE_HYP_DEVICE so that it doesn't set RES0 bits
      at EL2.
      Acked-by: default avatarMarc Zyngier <maz@kernel.org>
      Cc: Marc Zyngier <maz@kernel.org>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: James Morse <james.morse@arm.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20200708162546.26176-1-will@kernel.orgSigned-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27ce7d1c
    • Hector Martin's avatar
      ALSA: usb-audio: add quirk for MacroSilicon MS2109 · fbaf62c0
      Hector Martin authored
      commit e337bf19 upstream.
      
      These devices claim to be 96kHz mono, but actually are 48kHz stereo with
      swapped channels and unaligned transfers.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHector Martin <marcan@marcan.st>
      Link: https://lore.kernel.org/r/20200702071433.237843-1-marcan@marcan.stSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fbaf62c0
    • Hui Wang's avatar
      ALSA: hda - let hs_mic be picked ahead of hp_mic · e7150981
      Hui Wang authored
      commit 6a6ca788 upstream.
      
      We have a Dell AIO, there is neither internal speaker nor internal
      mic, only a multi-function audio jack on it.
      
      Users reported that after freshly installing the OS and plug
      a headset to the audio jack, the headset can't output sound. I
      reproduced this bug, at that moment, the Input Source is as below:
      Simple mixer control 'Input Source',0
        Capabilities: cenum
        Items: 'Headphone Mic' 'Headset Mic'
        Item0: 'Headphone Mic'
      
      That is because the patch_realtek will set this audio jack as mic_in
      mode if Input Source's value is hp_mic.
      
      If it is not fresh installing, this issue will not happen since the
      systemd will run alsactl restore -f /var/lib/alsa/asound.state, this
      will set the 'Input Source' according to history value.
      
      If there is internal speaker or internal mic, this issue will not
      happen since there is valid sink/source in the pulseaudio, the PA will
      set the 'Input Source' according to active_port.
      
      To fix this issue, change the parser function to let the hs_mic be
      stored ahead of hp_mic.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Link: https://lore.kernel.org/r/20200625083833.11264-1-hui.wang@canonical.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e7150981
    • xidongwang's avatar
      ALSA: opl3: fix infoleak in opl3 · d917af2f
      xidongwang authored
      commit ad155712 upstream.
      
      The stack object “info” in snd_opl3_ioctl() has a leaking problem.
      It has 2 padding bytes which are not initialized and leaked via
      “copy_to_user”.
      Signed-off-by: default avatarxidongwang <wangxidong_97@163.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/1594006058-30362-1-git-send-email-wangxidong_97@163.comSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d917af2f
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON() · 384260fd
      Ido Schimmel authored
      [ Upstream commit d9d54202 ]
      
      We should not trigger a warning when a memory allocation fails. Remove
      the WARN_ON().
      
      The warning is constantly triggered by syzkaller when it is injecting
      faults:
      
      [ 2230.758664] FAULT_INJECTION: forcing a failure.
      [ 2230.758664] name failslab, interval 1, probability 0, space 0, times 0
      [ 2230.762329] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
      ...
      [ 2230.898175] WARNING: CPU: 3 PID: 1407 at drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:6265 mlxsw_sp_router_fib_event+0xfad/0x13e0
      [ 2230.898179] Kernel panic - not syncing: panic_on_warn set ...
      [ 2230.898183] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
      [ 2230.898190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      
      Fixes: 3057224e ("mlxsw: spectrum_router: Implement FIB offload in deferred work")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      384260fd
    • Nicolas Ferre's avatar
      net: macb: mark device wake capable when "magic-packet" property present · 8d5c8703
      Nicolas Ferre authored
      [ Upstream commit ced4799d ]
      
      Change the way the "magic-packet" DT property is handled in the
      macb_probe() function, matching DT binding documentation.
      Now we mark the device as "wakeup capable" instead of calling the
      device_init_wakeup() function that would enable the wakeup source.
      
      For Ethernet WoL, enabling the wakeup_source is done by
      using ethtool and associated macb_set_wol() function that
      already calls device_set_wakeup_enable() for this purpose.
      
      That would reduce power consumption by cutting more clocks if
      "magic-packet" property is set but WoL is not configured by ethtool.
      
      Fixes: 3e2a5e15 ("net: macb: add wake-on-lan support via magic packet")
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Cc: Harini Katakam <harini.katakam@xilinx.com>
      Cc: Sergio Prado <sergio.prado@e-labworks.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      8d5c8703
    • Davide Caratti's avatar
      bnxt_en: fix NULL dereference in case SR-IOV configuration fails · 0da591e2
      Davide Caratti authored
      [ Upstream commit c8b1d743 ]
      
      we need to set 'active_vfs' back to 0, if something goes wrong during the
      allocation of SR-IOV resources: otherwise, further VF configurations will
      wrongly assume that bp->pf.vf[x] are valid memory locations, and commands
      like the ones in the following sequence:
      
       # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs
       # ip link set dev ens1f0np0 up
       # ip link set dev ens1f0np0 vf 0 trust on
      
      will cause a kernel crash similar to this:
      
       bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV
       BUG: kernel NULL pointer dereference, address: 0000000000000014
       #PF: supervisor read access in kernel mode
       #PF: error_code(0x0000) - not-present page
       PGD 0 P4D 0
       Oops: 0000 [#1] SMP PTI
       CPU: 43 PID: 2059 Comm: ip Tainted: G          I       5.8.0-rc2.upstream+ #871
       Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019
       RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en]
       Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89
       RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b
       RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900
       RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008
       R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000
       R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0
       FS:  00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       PKRU: 55555554
       Call Trace:
        do_setlink+0x994/0xfe0
        __rtnl_newlink+0x544/0x8d0
        rtnl_newlink+0x47/0x70
        rtnetlink_rcv_msg+0x29f/0x350
        netlink_rcv_skb+0x4a/0x110
        netlink_unicast+0x21d/0x300
        netlink_sendmsg+0x329/0x450
        sock_sendmsg+0x5b/0x60
        ____sys_sendmsg+0x204/0x280
        ___sys_sendmsg+0x88/0xd0
        __sys_sendmsg+0x5e/0xa0
        do_syscall_64+0x47/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Reported-by: default avatarFei Liu <feliu@redhat.com>
      CC: Jonathan Toppins <jtoppins@redhat.com>
      CC: Michael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Acked-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0da591e2
    • Rahul Lakkireddy's avatar
      cxgb4: fix all-mask IP address comparison · 76075b45
      Rahul Lakkireddy authored
      [ Upstream commit 76c4d85c ]
      
      Convert all-mask IP address to Big Endian, instead, for comparison.
      
      Fixes: f286dd8e ("cxgb4: use correct type for all-mask IP address comparison")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      76075b45
    • Zheng Bin's avatar
      nbd: Fix memory leak in nbd_add_socket · 306290ba
      Zheng Bin authored
      [ Upstream commit 579dd91a ]
      
      When adding first socket to nbd, if nsock's allocation failed, the data
      structure member "config->socks" was reallocated, but the data structure
      member "config->num_connections" was not updated. A memory leak will occur
      then because the function "nbd_config_put" will free "config->socks" only
      when "config->num_connections" is not zero.
      
      Fixes: 03bf73c3 ("nbd: prevent memory leak")
      Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com
      Signed-off-by: default avatarZheng Bin <zhengbin13@huawei.com>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      306290ba
    • Wei Li's avatar
      arm64: kgdb: Fix single-step exception handling oops · d8793b41
      Wei Li authored
      [ Upstream commit 8523c006 ]
      
      After entering kdb due to breakpoint, when we execute 'ss' or 'go' (will
      delay installing breakpoints, do single-step first), it won't work
      correctly, and it will enter kdb due to oops.
      
      It's because the reason gotten in kdb_stub() is not as expected, and it
      seems that the ex_vector for single-step should be 0, like what arch
      powerpc/sh/parisc has implemented.
      
      Before the patch:
      Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry
      [0]kdb> bp printk
      Instruction(i) BP #0 at 0xffff8000101486cc (printk)
          is enabled   addr at ffff8000101486cc, hardtype=0 installed=0
      
      [0]kdb> g
      
      / # echo h > /proc/sysrq-trigger
      
      Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 due to Breakpoint @ 0xffff8000101486cc
      [3]kdb> ss
      
      Entering kdb (current=0xffff0000fa878040, pid 266) on processor 3 Oops: (null)
      due to oops @ 0xffff800010082ab8
      CPU: 3 PID: 266 Comm: sh Not tainted 5.7.0-rc4-13839-gf0e5ad491718 #6
      Hardware name: linux,dummy-virt (DT)
      pstate: 00000085 (nzcv daIf -PAN -UAO)
      pc : el1_irq+0x78/0x180
      lr : __handle_sysrq+0x80/0x190
      sp : ffff800015003bf0
      x29: ffff800015003d20 x28: ffff0000fa878040
      x27: 0000000000000000 x26: ffff80001126b1f0
      x25: ffff800011b6a0d8 x24: 0000000000000000
      x23: 0000000080200005 x22: ffff8000101486cc
      x21: ffff800015003d30 x20: 0000ffffffffffff
      x19: ffff8000119f2000 x18: 0000000000000000
      x17: 0000000000000000 x16: 0000000000000000
      x15: 0000000000000000 x14: 0000000000000000
      x13: 0000000000000000 x12: 0000000000000000
      x11: 0000000000000000 x10: 0000000000000000
      x9 : 0000000000000000 x8 : ffff800015003e50
      x7 : 0000000000000002 x6 : 00000000380b9990
      x5 : ffff8000106e99e8 x4 : ffff0000fadd83c0
      x3 : 0000ffffffffffff x2 : ffff800011b6a0d8
      x1 : ffff800011b6a000 x0 : ffff80001130c9d8
      Call trace:
       el1_irq+0x78/0x180
       printk+0x0/0x84
       write_sysrq_trigger+0xb0/0x118
       proc_reg_write+0xb4/0xe0
       __vfs_write+0x18/0x40
       vfs_write+0xb0/0x1b8
       ksys_write+0x64/0xf0
       __arm64_sys_write+0x14/0x20
       el0_svc_common.constprop.2+0xb0/0x168
       do_el0_svc+0x20/0x98
       el0_sync_handler+0xec/0x1a8
       el0_sync+0x140/0x180
      
      [3]kdb>
      
      After the patch:
      Entering kdb (current=0xffff8000119e2dc0, pid 0) on processor 0 due to Keyboard Entry
      [0]kdb> bp printk
      Instruction(i) BP #0 at 0xffff8000101486cc (printk)
          is enabled   addr at ffff8000101486cc, hardtype=0 installed=0
      
      [0]kdb> g
      
      / # echo h > /proc/sysrq-trigger
      
      Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc
      [0]kdb> g
      
      Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to Breakpoint @ 0xffff8000101486cc
      [0]kdb> ss
      
      Entering kdb (current=0xffff0000fa852bc0, pid 268) on processor 0 due to SS trap @ 0xffff800010082ab8
      [0]kdb>
      
      Fixes: 44679a4f ("arm64: KGDB: Add step debugging support")
      Signed-off-by: default avatarWei Li <liwei391@huawei.com>
      Tested-by: default avatarDouglas Anderson <dianders@chromium.org>
      Reviewed-by: default avatarDouglas Anderson <dianders@chromium.org>
      Link: https://lore.kernel.org/r/20200509214159.19680-2-liwei391@huawei.comSigned-off-by: default avatarWill Deacon <will@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      d8793b41
    • Vinod Koul's avatar
      ALSA: compress: fix partial_drain completion state · ab8dbdcb
      Vinod Koul authored
      [ Upstream commit f79a732a ]
      
      On partial_drain completion we should be in SNDRV_PCM_STATE_RUNNING
      state, so set that for partially draining streams in
      snd_compr_drain_notify() and use a flag for partially draining streams
      
      While at it, add locks for stream state change in
      snd_compr_drain_notify() as well.
      
      Fixes: f44f2a54 ("ALSA: compress: fix drain calls blocking other compress functions (v6)")
      Reviewed-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Tested-by: default avatarSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Reviewed-by: default avatarCharles Keepax <ckeepax@opensource.cirrus.com>
      Tested-by: default avatarCharles Keepax <ckeepax@opensource.cirrus.com>
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Link: https://lore.kernel.org/r/20200629134737.105993-4-vkoul@kernel.orgSigned-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      ab8dbdcb
    • Yonglong Liu's avatar
      net: hns3: fix use-after-free when doing self test · 90038720
      Yonglong Liu authored
      [ Upstream commit a0665621 ]
      
      Enable promisc mode of PF, set VF link state to enable, and
      run iperf of the VF, then do self test of the PF. The self test
      will fail with a low frequency, and may cause a use-after-free
      problem.
      
      [   87.142126] selftest:000004a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
      [   87.159722] ==================================================================
      [   87.174187] BUG: KASAN: use-after-free in hex_dump_to_buffer+0x140/0x608
      [   87.187600] Read of size 1 at addr ffff003b22828000 by task ethtool/1186
      [   87.201012]
      [   87.203978] CPU: 7 PID: 1186 Comm: ethtool Not tainted 5.5.0-rc4-gfd51c473-dirty #4
      [   87.219306] Hardware name: Huawei TaiShan 2280 V2/BC82AMDA, BIOS TA BIOS 2280-A CS V2.B160.01 01/15/2020
      [   87.238292] Call trace:
      [   87.243173]  dump_backtrace+0x0/0x280
      [   87.250491]  show_stack+0x24/0x30
      [   87.257114]  dump_stack+0xe8/0x140
      [   87.263911]  print_address_description.isra.8+0x70/0x380
      [   87.274538]  __kasan_report+0x12c/0x230
      [   87.282203]  kasan_report+0xc/0x18
      [   87.288999]  __asan_load1+0x60/0x68
      [   87.295969]  hex_dump_to_buffer+0x140/0x608
      [   87.304332]  print_hex_dump+0x140/0x1e0
      [   87.312000]  hns3_lb_check_skb_data+0x168/0x170
      [   87.321060]  hns3_clean_rx_ring+0xa94/0xfe0
      [   87.329422]  hns3_self_test+0x708/0x8c0
      
      The length of packet sent by the selftest process is only
      128 + 14 bytes, and the min buffer size of a BD is 256 bytes,
      and the receive process will make sure the packet sent by
      the selftest process is in the linear part, so only check
      the linear part in hns3_lb_check_skb_data().
      
      So fix this use-after-free by using skb_headlen() to dump
      skb->data instead of skb->len.
      
      Fixes: c39c4d98 ("net: hns3: Add mac loopback selftest support in hns3 driver")
      Signed-off-by: default avatarYonglong Liu <liuyonglong@huawei.com>
      Signed-off-by: default avatarHuazhong Tan <tanhuazhong@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      90038720
    • Andre Edich's avatar
      smsc95xx: avoid memory leak in smsc95xx_bind · b5c2a944
      Andre Edich authored
      [ Upstream commit 3ed58f96 ]
      
      In a case where the ID_REV register read is failed, the memory for a
      private data structure has to be freed before returning error from the
      function smsc95xx_bind.
      
      Fixes: bbd9f9ee ("smsc95xx: add wol support for more frame types")
      Signed-off-by: default avatarAndre Edich <andre.edich@microchip.com>
      Signed-off-by: default avatarParthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b5c2a944
    • Andre Edich's avatar
      smsc95xx: check return value of smsc95xx_reset · 10929819
      Andre Edich authored
      [ Upstream commit 7c8b1e85 ]
      
      The return value of the function smsc95xx_reset() must be checked
      to avoid returning false success from the function smsc95xx_bind().
      
      Fixes: 2f7ca802 ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
      Signed-off-by: default avatarAndre Edich <andre.edich@microchip.com>
      Signed-off-by: default avatarParthiban Veerasooran <Parthiban.Veerasooran@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      10929819
    • Li Heng's avatar
      net: cxgb4: fix return error value in t4_prep_fw · 739fe4d1
      Li Heng authored
      [ Upstream commit 8a259e6b ]
      
      t4_prep_fw goto bye tag with positive return value when something
      bad happened and which can not free resource in adap_init0.
      so fix it to return negative value.
      
      Fixes: 16e47624 ("cxgb4: Add new scheme to update T4/T5 firmware")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarLi Heng <liheng40@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      739fe4d1