1. 22 Jun, 2020 40 commits
    • Abhinav Ratna's avatar
      PCI: Add ACS quirk for iProc PAXB · 66630388
      Abhinav Ratna authored
      [ Upstream commit 46b2c32d ]
      
      iProc PAXB Root Ports don't advertise an ACS capability, but they do not
      allow peer-to-peer transactions between Root Ports.  Add an ACS quirk so
      each Root Port can be in a separate IOMMU group.
      
      [bhelgaas: commit log, comment, use common implementation style]
      Link: https://lore.kernel.org/r/1566275985-25670-1-git-send-email-srinath.mannam@broadcom.comSigned-off-by: default avatarAbhinav Ratna <abhinav.ratna@broadcom.com>
      Signed-off-by: default avatarSrinath Mannam <srinath.mannam@broadcom.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarScott Branden <scott.branden@broadcom.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      66630388
    • Kevin Buettner's avatar
      PCI: Avoid FLR for AMD Starship USB 3.0 · a77e92f0
      Kevin Buettner authored
      [ Upstream commit 5727043c ]
      
      The AMD Starship USB 3.0 host controller advertises Function Level Reset
      support, but it apparently doesn't work.  Add a quirk to prevent use of FLR
      on this device.
      
      Without this quirk, when attempting to assign (pass through) an AMD
      Starship USB 3.0 host controller to a guest OS, the system becomes
      increasingly unresponsive over the course of several minutes, eventually
      requiring a hard reset.  Shortly after attempting to start the guest, I see
      these messages:
      
        vfio-pci 0000:05:00.3: not ready 1023ms after FLR; waiting
        vfio-pci 0000:05:00.3: not ready 2047ms after FLR; waiting
        vfio-pci 0000:05:00.3: not ready 4095ms after FLR; waiting
        vfio-pci 0000:05:00.3: not ready 8191ms after FLR; waiting
      
      And then eventually:
      
        vfio-pci 0000:05:00.3: not ready 65535ms after FLR; giving up
        INFO: NMI handler (perf_event_nmi_handler) took too long to run: 0.000 msecs
        perf: interrupt took too long (642744 > 2500), lowering kernel.perf_event_max_sample_rate to 1000
        INFO: NMI handler (perf_event_nmi_handler) took too long to run: 82.270 msecs
        INFO: NMI handler (perf_event_nmi_handler) took too long to run: 680.608 msecs
        INFO: NMI handler (perf_event_nmi_handler) took too long to run: 100.952 msecs
        ...
        watchdog: BUG: soft lockup - CPU#3 stuck for 22s! [qemu-system-x86:7487]
      
      Tested on a Micro-Star International Co., Ltd. MS-7C59/Creator TRX40
      motherboard with an AMD Ryzen Threadripper 3970X.
      
      Link: https://lore.kernel.org/r/20200524003529.598434ff@f31-4.lanSigned-off-by: default avatarKevin Buettner <kevinb@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a77e92f0
    • Marcos Scriven's avatar
      PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0 · 389b5fd1
      Marcos Scriven authored
      [ Upstream commit 0d14f06c ]
      
      The AMD Matisse HD Audio & USB 3.0 devices advertise Function Level Reset
      support, but hang when an FLR is triggered.
      
      To reproduce the problem, attach the device to a VM, then detach and try to
      attach again.
      
      Rename the existing quirk_intel_no_flr(), which was not Intel-specific, to
      quirk_no_flr(), and apply it to prevent the use of FLR on these AMD
      devices.
      
      Link: https://lore.kernel.org/r/CAAri2DpkcuQZYbT6XsALhx2e6vRqPHwtbjHYeiH7MNp4zmt1RA@mail.gmail.comSigned-off-by: default avatarMarcos Scriven <marcos@scriven.org>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      389b5fd1
    • Kai-Heng Feng's avatar
      PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect · 36460fae
      Kai-Heng Feng authored
      [ Upstream commit 68f5fc4e ]
      
      Both Pericom OHCI and EHCI devices advertise PME# support from all power
      states:
      
        06:00.0 USB controller [0c03]: Pericom Semiconductor PI7C9X442SL USB OHCI Controller [12d8:400e] (rev 01) (prog-if 10 [OHCI])
          Subsystem: Pericom Semiconductor PI7C9X442SL USB OHCI Controller [12d8:400e]
          Capabilities: [80] Power Management version 3
            Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=375mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
      
        06:00.2 USB controller [0c03]: Pericom Semiconductor PI7C9X442SL USB EHCI Controller [12d8:400f] (rev 01) (prog-if 20 [EHCI])
          Subsystem: Pericom Semiconductor PI7C9X442SL USB EHCI Controller [12d8:400f]
          Capabilities: [80] Power Management version 3
            Flags: PMEClk- DSI- D1+ D2+ AuxCurrent=375mA PME(D0+,D1+,D2+,D3hot+,D3cold+)
      
      But testing shows that it's unreliable: there is a 20% chance PME# won't be
      asserted when a USB device is plugged.
      
      Remove PME support for both devices to make USB plugging work reliably.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=205981
      Link: https://lore.kernel.org/r/20200508065343.32751-2-kai.heng.feng@canonical.comSigned-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      36460fae
    • Eric Biggers's avatar
      ext4: fix race between ext4_sync_parent() and rename() · 8f3f5ba2
      Eric Biggers authored
      commit 08adf452 upstream.
      
      'igrab(d_inode(dentry->d_parent))' without holding dentry->d_lock is
      broken because without d_lock, d_parent can be concurrently changed due
      to a rename().  Then if the old directory is immediately deleted, old
      d_parent->inode can be NULL.  That causes a NULL dereference in igrab().
      
      To fix this, use dget_parent() to safely grab a reference to the parent
      dentry, which pins the inode.  This also eliminates the need to use
      d_find_any_alias() other than for the initial inode, as we no longer
      throw away the dentry at each step.
      
      This is an extremely hard race to hit, but it is possible.  Adding a
      udelay() in between the reads of ->d_parent and its ->d_inode makes it
      reproducible on a no-journal filesystem using the following program:
      
          #include <fcntl.h>
          #include <unistd.h>
      
          int main()
          {
              if (fork()) {
                  for (;;) {
                      mkdir("dir1", 0700);
                      int fd = open("dir1/file", O_RDWR|O_CREAT|O_SYNC);
                      write(fd, "X", 1);
                      close(fd);
                  }
              } else {
                  mkdir("dir2", 0700);
                  for (;;) {
                      rename("dir1/file", "dir2/file");
                      rmdir("dir1");
                  }
              }
          }
      
      Fixes: d59729f4 ("ext4: fix races in ext4_sync_parent()")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Link: https://lore.kernel.org/r/20200506183140.541194-1-ebiggers@kernel.orgSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f3f5ba2
    • Jeffle Xu's avatar
      ext4: fix error pointer dereference · aab1eab0
      Jeffle Xu authored
      commit 8418897f upstream.
      
      Don't pass error pointers to brelse().
      
      commit 7159a986 ("ext4: fix some error pointer dereferences") has fixed
      some cases, fix the remaining one case.
      
      Once ext4_xattr_block_find()->ext4_sb_bread() failed, error pointer is
      stored in @bs->bh, which will be passed to brelse() in the cleanup
      routine of ext4_xattr_set_handle(). This will then cause a NULL panic
      crash in __brelse().
      
      BUG: unable to handle kernel NULL pointer dereference at 000000000000005b
      RIP: 0010:__brelse+0x1b/0x50
      Call Trace:
       ext4_xattr_set_handle+0x163/0x5d0
       ext4_xattr_set+0x95/0x110
       __vfs_setxattr+0x6b/0x80
       __vfs_setxattr_noperm+0x68/0x1b0
       vfs_setxattr+0xa0/0xb0
       setxattr+0x12c/0x1a0
       path_setxattr+0x8d/0xc0
       __x64_sys_setxattr+0x27/0x30
       do_syscall_64+0x60/0x250
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      In this case, @bs->bh stores '-EIO' actually.
      
      Fixes: fb265c9c ("ext4: add ext4_sb_bread() to disambiguate ENOMEM cases")
      Signed-off-by: default avatarJeffle Xu <jefflexu@linux.alibaba.com>
      Reviewed-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: stable@kernel.org # 2.6.19
      Reviewed-by: default avatarRitesh Harjani <riteshh@linux.ibm.com>
      Reviewed-by: default avatarJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/1587628004-95123-1-git-send-email-jefflexu@linux.alibaba.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      aab1eab0
    • Harshad Shirwadkar's avatar
      ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max · acbec3dd
      Harshad Shirwadkar authored
      commit c36a71b4 upstream.
      
      If eh->eh_max is 0, EXT_MAX_EXTENT/INDEX would evaluate to unsigned
      (-1) resulting in illegal memory accesses. Although there is no
      consistent repro, we see that generic/019 sometimes crashes because of
      this bug.
      
      Ran gce-xfstests smoke and verified that there were no regressions.
      Signed-off-by: default avatarHarshad Shirwadkar <harshadshirwadkar@gmail.com>
      Link: https://lore.kernel.org/r/20200421023959.20879-2-harshadshirwadkar@gmail.comSigned-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
      Cc: stable@kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acbec3dd
    • Roberto Sassu's avatar
      evm: Fix possible memory leak in evm_calc_hmac_or_hash() · 3815f650
      Roberto Sassu authored
      commit 0c4395fb upstream.
      
      Don't immediately return if the signature is portable and security.ima is
      not present. Just set error so that memory allocated is freed before
      returning from evm_calc_hmac_or_hash().
      
      Fixes: 50b97748 ("EVM: Add support for portable signature format")
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3815f650
    • Roberto Sassu's avatar
      ima: Directly assign the ima_default_policy pointer to ima_rules · d52a1903
      Roberto Sassu authored
      commit 067a436b upstream.
      
      This patch prevents the following oops:
      
      [   10.771813] BUG: kernel NULL pointer dereference, address: 0000000000000
      [...]
      [   10.779790] RIP: 0010:ima_match_policy+0xf7/0xb80
      [...]
      [   10.798576] Call Trace:
      [   10.798993]  ? ima_lsm_policy_change+0x2b0/0x2b0
      [   10.799753]  ? inode_init_owner+0x1a0/0x1a0
      [   10.800484]  ? _raw_spin_lock+0x7a/0xd0
      [   10.801592]  ima_must_appraise.part.0+0xb6/0xf0
      [   10.802313]  ? ima_fix_xattr.isra.0+0xd0/0xd0
      [   10.803167]  ima_must_appraise+0x4f/0x70
      [   10.804004]  ima_post_path_mknod+0x2e/0x80
      [   10.804800]  do_mknodat+0x396/0x3c0
      
      It occurs when there is a failure during IMA initialization, and
      ima_init_policy() is not called. IMA hooks still call ima_match_policy()
      but ima_rules is NULL. This patch prevents the crash by directly assigning
      the ima_default_policy pointer to ima_rules when ima_rules is defined. This
      wouldn't alter the existing behavior, as ima_rules is always set at the end
      of ima_init_policy().
      
      Cc: stable@vger.kernel.org # 3.7.x
      Fixes: 07f6a794 ("ima: add appraise action keywords and default rules")
      Reported-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d52a1903
    • Krzysztof Struczynski's avatar
      ima: Fix ima digest hash table key calculation · 71381daf
      Krzysztof Struczynski authored
      commit 1129d31b upstream.
      
      Function hash_long() accepts unsigned long, while currently only one byte
      is passed from ima_hash_key(), which calculates a key for ima_htable.
      
      Given that hashing the digest does not give clear benefits compared to
      using the digest itself, remove hash_long() and return the modulus
      calculated on the first two bytes of the digest with the number of slots.
      Also reduce the depth of the hash table by doubling the number of slots.
      
      Cc: stable@vger.kernel.org
      Fixes: 3323eec9 ("integrity: IMA as an integrity service provider")
      Co-developed-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarRoberto Sassu <roberto.sassu@huawei.com>
      Signed-off-by: default avatarKrzysztof Struczynski <krzysztof.struczynski@huawei.com>
      Acked-by: David.Laight@aculab.com (big endian system concerns)
      Signed-off-by: default avatarMimi Zohar <zohar@linux.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71381daf
    • Pavel Tatashin's avatar
      mm: initialize deferred pages with interrupts enabled · 88afa532
      Pavel Tatashin authored
      commit 3d060856 upstream.
      
      Initializing struct pages is a long task and keeping interrupts disabled
      for the duration of this operation introduces a number of problems.
      
      1. jiffies are not updated for long period of time, and thus incorrect time
         is reported. See proposed solution and discussion here:
         lkml/20200311123848.118638-1-shile.zhang@linux.alibaba.com
      2. It prevents farther improving deferred page initialization by allowing
         intra-node multi-threading.
      
      We are keeping interrupts disabled to solve a rather theoretical problem
      that was never observed in real world (See 3a2d7fa8).
      
      Let's keep interrupts enabled. In case we ever encounter a scenario where
      an interrupt thread wants to allocate large amount of memory this early in
      boot we can deal with that by growing zone (see deferred_grow_zone()) by
      the needed amount before starting deferred_init_memmap() threads.
      
      Before:
      [    1.232459] node 0 initialised, 12058412 pages in 1ms
      
      After:
      [    1.632580] node 0 initialised, 12051227 pages in 436ms
      
      Fixes: 3a2d7fa8 ("mm: disable interrupts while initializing deferred pages")
      Reported-by: default avatarShile Zhang <shile.zhang@linux.alibaba.com>
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@soleen.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Reviewed-by: default avatarDaniel Jordan <daniel.m.jordan@oracle.com>
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Acked-by: default avatarMichal Hocko <mhocko@suse.com>
      Acked-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: James Morris <jmorris@namei.org>
      Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
      Cc: Sasha Levin <sashal@kernel.org>
      Cc: Yiqian Wei <yiwei@redhat.com>
      Cc: <stable@vger.kernel.org>	[4.17+]
      Link: http://lkml.kernel.org/r/20200403140952.17177-3-pasha.tatashin@soleen.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88afa532
    • Andrea Arcangeli's avatar
      mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() · 453d8a48
      Andrea Arcangeli authored
      commit c444eb56 upstream.
      
      Write protect anon page faults require an accurate mapcount to decide
      if to break the COW or not. This is implemented in the THP path with
      reuse_swap_page() ->
      page_trans_huge_map_swapcount()/page_trans_huge_mapcount().
      
      If the COW triggers while the other processes sharing the page are
      under a huge pmd split, to do an accurate reading, we must ensure the
      mapcount isn't computed while it's being transferred from the head
      page to the tail pages.
      
      reuse_swap_cache() already runs serialized by the page lock, so it's
      enough to add the page lock around __split_huge_pmd_locked too, in
      order to add the missing serialization.
      
      Note: the commit in "Fixes" is just to facilitate the backporting,
      because the code before such commit didn't try to do an accurate THP
      mapcount calculation and it instead used the page_count() to decide if
      to COW or not. Both the page_count and the pin_count are THP-wide
      refcounts, so they're inaccurate if used in
      reuse_swap_page(). Reverting such commit (besides the unrelated fix to
      the local anon_vma assignment) would have also opened the window for
      memory corruption side effects to certain workloads as documented in
      such commit header.
      Signed-off-by: default avatarAndrea Arcangeli <aarcange@redhat.com>
      Suggested-by: default avatarJann Horn <jannh@google.com>
      Reported-by: default avatarJann Horn <jannh@google.com>
      Acked-by: default avatarKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Fixes: 6d0a07ed ("mm: thp: calculate the mapcount correctly for THP pages during WP faults")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      453d8a48
    • Marcos Paulo de Souza's avatar
      btrfs: send: emit file capabilities after chown · e2049349
      Marcos Paulo de Souza authored
      commit 89efda52 upstream.
      
      Whenever a chown is executed, all capabilities of the file being touched
      are lost.  When doing incremental send with a file with capabilities,
      there is a situation where the capability can be lost on the receiving
      side. The sequence of actions bellow shows the problem:
      
        $ mount /dev/sda fs1
        $ mount /dev/sdb fs2
      
        $ touch fs1/foo.bar
        $ setcap cap_sys_nice+ep fs1/foo.bar
        $ btrfs subvolume snapshot -r fs1 fs1/snap_init
        $ btrfs send fs1/snap_init | btrfs receive fs2
      
        $ chgrp adm fs1/foo.bar
        $ setcap cap_sys_nice+ep fs1/foo.bar
      
        $ btrfs subvolume snapshot -r fs1 fs1/snap_complete
        $ btrfs subvolume snapshot -r fs1 fs1/snap_incremental
      
        $ btrfs send fs1/snap_complete | btrfs receive fs2
        $ btrfs send -p fs1/snap_init fs1/snap_incremental | btrfs receive fs2
      
      At this point, only a chown was emitted by "btrfs send" since only the
      group was changed. This makes the cap_sys_nice capability to be dropped
      from fs2/snap_incremental/foo.bar
      
      To fix that, only emit capabilities after chown is emitted. The current
      code first checks for xattrs that are new/changed, emits them, and later
      emit the chown. Now, __process_new_xattr skips capabilities, letting
      only finish_inode_if_needed to emit them, if they exist, for the inode
      being processed.
      
      This behavior was being worked around in "btrfs receive" side by caching
      the capability and only applying it after chown. Now, xattrs are only
      emmited _after_ chown, making that workaround not needed anymore.
      
      Link: https://github.com/kdave/btrfs-progs/issues/202
      CC: stable@vger.kernel.org # 4.4+
      Suggested-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarMarcos Paulo de Souza <mpdesouza@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e2049349
    • Anand Jain's avatar
      btrfs: include non-missing as a qualifier for the latest_bdev · bcad3df8
      Anand Jain authored
      commit 998a0671 upstream.
      
      btrfs_free_extra_devids() updates fs_devices::latest_bdev to point to
      the bdev with greatest device::generation number.  For a typical-missing
      device the generation number is zero so fs_devices::latest_bdev will
      never point to it.
      
      But if the missing device is due to alienation [1], then
      device::generation is not zero and if it is greater or equal to the rest
      of device  generations in the list, then fs_devices::latest_bdev ends up
      pointing to the missing device and reports the error like [2].
      
      [1] We maintain devices of a fsid (as in fs_device::fsid) in the
      fs_devices::devices list, a device is considered as an alien device
      if its fsid does not match with the fs_device::fsid
      
      Consider a working filesystem with raid1:
      
        $ mkfs.btrfs -f -d raid1 -m raid1 /dev/sda /dev/sdb
        $ mount /dev/sda /mnt-raid1
        $ umount /mnt-raid1
      
      While mnt-raid1 was unmounted the user force-adds one of its devices to
      another btrfs filesystem:
      
        $ mkfs.btrfs -f /dev/sdc
        $ mount /dev/sdc /mnt-single
        $ btrfs dev add -f /dev/sda /mnt-single
      
      Now the original mnt-raid1 fails to mount in degraded mode, because
      fs_devices::latest_bdev is pointing to the alien device.
      
        $ mount -o degraded /dev/sdb /mnt-raid1
      
      [2]
      mount: wrong fs type, bad option, bad superblock on /dev/sdb,
             missing codepage or helper program, or other error
      
             In some cases useful info is found in syslog - try
             dmesg | tail or so.
      
        kernel: BTRFS warning (device sdb): devid 1 uuid 072a0192-675b-4d5a-8640-a5cf2b2c704d is missing
        kernel: BTRFS error (device sdb): failed to read devices
        kernel: BTRFS error (device sdb): open_ctree failed
      
      Fix the root cause by checking if the device is not missing before it
      can be considered for the fs_devices::latest_bdev.
      
      CC: stable@vger.kernel.org # 4.19+
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarAnand Jain <anand.jain@oracle.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bcad3df8
    • Daniel Axtens's avatar
      string.h: fix incompatibility between FORTIFY_SOURCE and KASAN · 6d49d04c
      Daniel Axtens authored
      [ Upstream commit 47227d27 ]
      
      The memcmp KASAN self-test fails on a kernel with both KASAN and
      FORTIFY_SOURCE.
      
      When FORTIFY_SOURCE is on, a number of functions are replaced with
      fortified versions, which attempt to check the sizes of the operands.
      However, these functions often directly invoke __builtin_foo() once they
      have performed the fortify check.  Using __builtins may bypass KASAN
      checks if the compiler decides to inline it's own implementation as
      sequence of instructions, rather than emit a function call that goes out
      to a KASAN-instrumented implementation.
      
      Why is only memcmp affected?
      ============================
      
      Of the string and string-like functions that kasan_test tests, only memcmp
      is replaced by an inline sequence of instructions in my testing on x86
      with gcc version 9.2.1 20191008 (Ubuntu 9.2.1-9ubuntu2).
      
      I believe this is due to compiler heuristics.  For example, if I annotate
      kmalloc calls with the alloc_size annotation (and disable some fortify
      compile-time checking!), the compiler will replace every memset except the
      one in kmalloc_uaf_memset with inline instructions.  (I have some WIP
      patches to add this annotation.)
      
      Does this affect other functions in string.h?
      =============================================
      
      Yes. Anything that uses __builtin_* rather than __real_* could be
      affected. This looks like:
      
       - strncpy
       - strcat
       - strlen
       - strlcpy maybe, under some circumstances?
       - strncat under some circumstances
       - memset
       - memcpy
       - memmove
       - memcmp (as noted)
       - memchr
       - strcpy
      
      Whether a function call is emitted always depends on the compiler.  Most
      bugs should get caught by FORTIFY_SOURCE, but the missed memcmp test shows
      that this is not always the case.
      
      Isn't FORTIFY_SOURCE disabled with KASAN?
      ========================================-
      
      The string headers on all arches supporting KASAN disable fortify with
      kasan, but only when address sanitisation is _also_ disabled.  For example
      from x86:
      
       #if defined(CONFIG_KASAN) && !defined(__SANITIZE_ADDRESS__)
       /*
        * For files that are not instrumented (e.g. mm/slub.c) we
        * should use not instrumented version of mem* functions.
        */
       #define memcpy(dst, src, len) __memcpy(dst, src, len)
       #define memmove(dst, src, len) __memmove(dst, src, len)
       #define memset(s, c, n) __memset(s, c, n)
      
       #ifndef __NO_FORTIFY
       #define __NO_FORTIFY /* FORTIFY_SOURCE uses __builtin_memcpy, etc. */
       #endif
      
       #endif
      
      This comes from commit 6974f0c4 ("include/linux/string.h: add the
      option of fortified string.h functions"), and doesn't work when KASAN is
      enabled and the file is supposed to be sanitised - as with test_kasan.c
      
      I'm pretty sure this is not wrong, but not as expansive it should be:
      
       * we shouldn't use __builtin_memcpy etc in files where we don't have
         instrumentation - it could devolve into a function call to memcpy,
         which will be instrumented. Rather, we should use __memcpy which
         by convention is not instrumented.
      
       * we also shouldn't be using __builtin_memcpy when we have a KASAN
         instrumented file, because it could be replaced with inline asm
         that will not be instrumented.
      
      What is correct behaviour?
      ==========================
      
      Firstly, there is some overlap between fortification and KASAN: both
      provide some level of _runtime_ checking. Only fortify provides
      compile-time checking.
      
      KASAN and fortify can pick up different things at runtime:
      
       - Some fortify functions, notably the string functions, could easily be
         modified to consider sub-object sizes (e.g. members within a struct),
         and I have some WIP patches to do this. KASAN cannot detect these
         because it cannot insert poision between members of a struct.
      
       - KASAN can detect many over-reads/over-writes when the sizes of both
         operands are unknown, which fortify cannot.
      
      So there are a couple of options:
      
       1) Flip the test: disable fortify in santised files and enable it in
          unsanitised files. This at least stops us missing KASAN checking, but
          we lose the fortify checking.
      
       2) Make the fortify code always call out to real versions. Do this only
          for KASAN, for fear of losing the inlining opportunities we get from
          __builtin_*.
      
      (We can't use kasan_check_{read,write}: because the fortify functions are
      _extern inline_, you can't include _static_ inline functions without a
      compiler warning. kasan_check_{read,write} are static inline so we can't
      use them even when they would otherwise be suitable.)
      
      Take approach 2 and call out to real versions when KASAN is enabled.
      
      Use __underlying_foo to distinguish from __real_foo: __real_foo always
      refers to the kernel's implementation of foo, __underlying_foo could be
      either the kernel implementation or the __builtin_foo implementation.
      
      This is sometimes enough to make the memcmp test succeed with
      FORTIFY_SOURCE enabled. It is at least enough to get the function call
      into the module. One more fix is needed to make it reliable: see the next
      patch.
      
      Fixes: 6974f0c4 ("include/linux/string.h: add the option of fortified string.h functions")
      Signed-off-by: default avatarDaniel Axtens <dja@axtens.net>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Tested-by: default avatarDavid Gow <davidgow@google.com>
      Reviewed-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Daniel Micay <danielmicay@gmail.com>
      Cc: Andrey Ryabinin <aryabinin@virtuozzo.com>
      Cc: Alexander Potapenko <glider@google.com>
      Link: http://lkml.kernel.org/r/20200423154503.5103-3-dja@axtens.netSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d49d04c
    • Hans de Goede's avatar
      platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis-type · 6e048553
      Hans de Goede authored
      [ Upstream commit cfae58ed ]
      
      The HP Stream x360 11-p000nd no longer report SW_TABLET_MODE state / events
      with recent kernels. This model reports a chassis-type of 10 / "Notebook"
      which is not on the recently introduced chassis-type whitelist
      
      Commit de9647ef ("platform/x86: intel-vbtn: Only activate tablet mode
      switch on 2-in-1's") added a chassis-type whitelist and only listed 31 /
      "Convertible" as being capable of generating valid SW_TABLET_MOD events.
      
      Commit 1fac39fd ("platform/x86: intel-vbtn: Also handle tablet-mode
      switch on "Detachable" and "Portable" chassis-types") extended the
      whitelist with chassis-types 8 / "Portable" and 32 / "Detachable".
      
      And now we need to exten the whitelist again with 10 / "Notebook"...
      
      The issue original fixed by the whitelist is really a ACPI DSDT bug on
      the Dell XPS 9360 where it has a VGBS which reports it is in tablet mode
      even though it is not a 2-in-1 at all, but a regular laptop.
      
      So since this is a workaround for a DSDT issue on that specific model,
      instead of extending the whitelist over and over again, lets switch to
      a blacklist and only blacklist the chassis-type of the model for which
      the chassis-type check was added.
      
      Note this also fixes the current version of the code no longer checking
      if dmi_get_system_info(DMI_CHASSIS_TYPE) returns NULL.
      
      Fixes: 1fac39fd ("platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types")
      Cc: Mario Limonciello <mario.limonciello@dell.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Reviewed-by: default avatarMario Limonciello <Mario.limonciello@dell.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6e048553
    • Nickolai Kozachenko's avatar
      platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015) · da725858
      Nickolai Kozachenko authored
      [ Upstream commit 8fe63eb7 ]
      
      HEBC method reports capabilities of 5 button array but HP Spectre X2 (2015)
      does not have this control method (the same was for Wacom MobileStudio Pro).
      Expand previous DMI quirk by Alex Hung to also enable 5 button array
      for this system.
      Signed-off-by: default avatarNickolai Kozachenko <daemongloom@gmail.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      da725858
    • Andy Shevchenko's avatar
      platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() · 1a3cee00
      Andy Shevchenko authored
      [ Upstream commit 5cdc45ed ]
      
      First of all, unsigned long can overflow u32 value on 64-bit machine.
      Second, simple_strtoul() doesn't check for overflow in the input.
      
      Convert simple_strtoul() to kstrtou32() to eliminate above issues.
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      1a3cee00
    • Qiushi Wu's avatar
      cpuidle: Fix three reference count leaks · fad0431b
      Qiushi Wu authored
      [ Upstream commit c343bf1b ]
      
      kobject_init_and_add() takes reference even when it fails.
      If this function returns an error, kobject_put() must be called to
      properly clean up the memory associated with the object.
      
      Previous commit "b8eb7183" fixed a similar problem.
      Signed-off-by: default avatarQiushi Wu <wu000273@umn.edu>
      [ rjw: Subject ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fad0431b
    • Serge Semin's avatar
      spi: dw: Return any value retrieved from the dma_transfer callback · 6d15fe48
      Serge Semin authored
      [ Upstream commit f0410bbf ]
      
      DW APB SSI DMA-part of the driver may need to perform the requested
      SPI-transfer synchronously. In that case the dma_transfer() callback
      will return 0 as a marker of the SPI transfer being finished so the
      SPI core doesn't need to wait and may proceed with the SPI message
      trasnfers pumping procedure. This will be needed to fix the problem
      when DMA transactions are finished, but there is still data left in
      the SPI Tx/Rx FIFOs being sent/received. But for now make dma_transfer
      to return 1 as the normal dw_spi_transfer_one() method.
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Georgy Vlasov <Georgy.Vlasov@baikalelectronics.ru>
      Cc: Ramil Zaripov <Ramil.Zaripov@baikalelectronics.ru>
      Cc: Alexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: Feng Tang <feng.tang@intel.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: linux-mips@vger.kernel.org
      Cc: devicetree@vger.kernel.org
      Link: https://lore.kernel.org/r/20200529131205.31838-3-Sergey.Semin@baikalelectronics.ruSigned-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6d15fe48
    • Haibo Chen's avatar
      mmc: sdhci-esdhc-imx: fix the mask for tuning start point · 6190bf27
      Haibo Chen authored
      [ Upstream commit 1194be8c ]
      
      According the RM, the bit[6~0] of register ESDHC_TUNING_CTRL is
      TUNING_START_TAP, bit[7] of this register is to disable the command
      CRC check for standard tuning. So fix it here.
      
      Fixes: d87fc966 ("mmc: sdhci-esdhc-imx: support setting tuning start point")
      Signed-off-by: default avatarHaibo Chen <haibo.chen@nxp.com>
      Link: https://lore.kernel.org/r/1590488522-9292-1-git-send-email-haibo.chen@nxp.comSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6190bf27
    • Xie XiuQi's avatar
      ixgbe: fix signed-integer-overflow warning · a7a2e0c2
      Xie XiuQi authored
      [ Upstream commit 3b70683f ]
      
      ubsan report this warning, fix it by adding a unsigned suffix.
      
      UBSAN: signed-integer-overflow in
      drivers/net/ethernet/intel/ixgbe/ixgbe_common.c:2246:26
      65535 * 65537 cannot be represented in type 'int'
      CPU: 21 PID: 7 Comm: kworker/u256:0 Not tainted 5.7.0-rc3-debug+ #39
      Hardware name: Huawei TaiShan 2280 V2/BC82AMDC, BIOS 2280-V2 03/27/2020
      Workqueue: ixgbe ixgbe_service_task [ixgbe]
      Call trace:
       dump_backtrace+0x0/0x3f0
       show_stack+0x28/0x38
       dump_stack+0x154/0x1e4
       ubsan_epilogue+0x18/0x60
       handle_overflow+0xf8/0x148
       __ubsan_handle_mul_overflow+0x34/0x48
       ixgbe_fc_enable_generic+0x4d0/0x590 [ixgbe]
       ixgbe_service_task+0xc20/0x1f78 [ixgbe]
       process_one_work+0x8f0/0xf18
       worker_thread+0x430/0x6d0
       kthread+0x218/0x238
       ret_from_fork+0x10/0x18
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a7a2e0c2
    • Ulf Hansson's avatar
      mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core · 4fb193a4
      Ulf Hansson authored
      [ Upstream commit 966244cc ]
      
      Using a fixed 1s timeout for all commands (and data transfers) is a bit
      problematic.
      
      For some commands it means waiting longer than needed for the timer to
      expire, which may not a big issue, but still. For other commands, like for
      an erase (CMD38) that uses a R1B response, may require longer timeouts than
      1s. In these cases, we may end up treating the command as it failed, while
      it just needed some more time to complete successfully.
      
      Fix the problem by respecting the cmd->busy_timeout, which is provided by
      the mmc core.
      
      Cc: Bruce Chang <brucechang@via.com.tw>
      Cc: Harald Welte <HaraldWelte@viatech.com>
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Link: https://lore.kernel.org/r/20200414161413.3036-17-ulf.hansson@linaro.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      4fb193a4
    • Ulf Hansson's avatar
      staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core · 2c4db628
      Ulf Hansson authored
      [ Upstream commit a389087e ]
      
      Using a fixed 1s timeout for all commands is a bit problematic.
      
      For some commands it means waiting longer than needed for the timeout to
      expire, which may not a big issue, but still. For other commands, like for
      an erase (CMD38) that uses a R1B response, may require longer timeouts than
      1s. In these cases, we may end up treating the command as it failed, while
      it just needed some more time to complete successfully.
      
      Fix the problem by respecting the cmd->busy_timeout, which is provided by
      the mmc core.
      
      Cc: Rui Miguel Silva <rmfrfs@gmail.com>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: Alex Elder <elder@kernel.org>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: greybus-dev@lists.linaro.org
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Acked-by: default avatarRui Miguel Silva <rmfrfs@gmail.com>
      Acked-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Link: https://lore.kernel.org/r/20200414161413.3036-20-ulf.hansson@linaro.orgSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2c4db628
    • Veerabhadrarao Badiganti's avatar
      mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk · 59b87f26
      Veerabhadrarao Badiganti authored
      [ Upstream commit d863cb03 ]
      
      sdhci-msm can support auto cmd12.
      So enable SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk.
      Signed-off-by: default avatarVeerabhadrarao Badiganti <vbadigan@codeaurora.org>
      Acked-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Link: https://lore.kernel.org/r/1587363626-20413-3-git-send-email-vbadigan@codeaurora.orgSigned-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      59b87f26
    • Coly Li's avatar
      bcache: fix refcount underflow in bcache_device_free() · 63581542
      Coly Li authored
      [ Upstream commit 86da9f73 ]
      
      The problematic code piece in bcache_device_free() is,
      
       785 static void bcache_device_free(struct bcache_device *d)
       786 {
       787     struct gendisk *disk = d->disk;
       [snipped]
       799     if (disk) {
       800             if (disk->flags & GENHD_FL_UP)
       801                     del_gendisk(disk);
       802
       803             if (disk->queue)
       804                     blk_cleanup_queue(disk->queue);
       805
       806             ida_simple_remove(&bcache_device_idx,
       807                               first_minor_to_idx(disk->first_minor));
       808             put_disk(disk);
       809         }
       [snipped]
       816 }
      
      At line 808, put_disk(disk) may encounter kobject refcount of 'disk'
      being underflow.
      
      Here is how to reproduce the issue,
      - Attche the backing device to a cache device and do random write to
        make the cache being dirty.
      - Stop the bcache device while the cache device has dirty data of the
        backing device.
      - Only register the backing device back, NOT register cache device.
      - The bcache device node /dev/bcache0 won't show up, because backing
        device waits for the cache device shows up for the missing dirty
        data.
      - Now echo 1 into /sys/fs/bcache/pendings_cleanup, to stop the pending
        backing device.
      - After the pending backing device stopped, use 'dmesg' to check kernel
        message, a use-after-free warning from KASA reported the refcount of
        kobject linked to the 'disk' is underflow.
      
      The dropping refcount at line 808 in the above code piece is added by
      add_disk(d->disk) in bch_cached_dev_run(). But in the above condition
      the cache device is not registered, bch_cached_dev_run() has no chance
      to be called and the refcount is not added. The put_disk() for a non-
      added refcount of gendisk kobject triggers a underflow warning.
      
      This patch checks whether GENHD_FL_UP is set in disk->flags, if it is
      not set then the bcache device was not added, don't call put_disk()
      and the the underflow issue can be avoided.
      Signed-off-by: default avatarColy Li <colyli@suse.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      63581542
    • YuanJunQing's avatar
      MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() · dfb3dbf0
      YuanJunQing authored
      [ Upstream commit 31e1b3ef ]
      
      Register "a1" is unsaved in this function,
       when CONFIG_TRACE_IRQFLAGS is enabled,
       the TRACE_IRQS_OFF macro will call trace_hardirqs_off(),
       and this may change register "a1".
       The changed register "a1" as argument will be send
       to do_fpe() and do_msa_fpe().
      Signed-off-by: default avatarYuanJunQing <yuanjunqing66@163.com>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      dfb3dbf0
    • Jiaxun Yang's avatar
      PCI: Don't disable decoding when mmio_always_on is set · 40a94a1a
      Jiaxun Yang authored
      [ Upstream commit b6caa1d8 ]
      
      Don't disable MEM/IO decoding when a device have both non_compliant_bars
      and mmio_always_on.
      
      That would allow us quirk devices with junk in BARs but can't disable
      their decoding.
      Signed-off-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Acked-by: default avatarBjorn Helgaas <helgaas@kernel.org>
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      40a94a1a
    • Alexander Sverdlin's avatar
      macvlan: Skip loopback packets in RX handler · 133b3d24
      Alexander Sverdlin authored
      [ Upstream commit 81f3dc93 ]
      
      Ignore loopback-originatig packets soon enough and don't try to process L2
      header where it doesn't exist. The very similar br_handle_frame() in bridge
      code performs exactly the same check.
      
      This is an example of such ICMPv6 packet:
      
      skb len=96 headroom=40 headlen=96 tailroom=56
      mac=(40,0) net=(40,40) trans=80
      shinfo(txflags=0 nr_frags=0 gso(size=0 type=0 segs=0))
      csum(0xae2e9a2f ip_summed=1 complete_sw=0 valid=0 level=0)
      hash(0xc97ebd88 sw=1 l4=1) proto=0x86dd pkttype=5 iif=24
      dev name=etha01.212 feat=0x0x0000000040005000
      skb headroom: 00000000: 00 7c 86 52 84 88 ff ff 00 00 00 00 00 00 08 00
      skb headroom: 00000010: 45 00 00 9e 5d 5c 40 00 40 11 33 33 00 00 00 01
      skb headroom: 00000020: 02 40 43 80 00 00 86 dd
      skb linear:   00000000: 60 09 88 bd 00 38 3a ff fe 80 00 00 00 00 00 00
      skb linear:   00000010: 00 40 43 ff fe 80 00 00 ff 02 00 00 00 00 00 00
      skb linear:   00000020: 00 00 00 00 00 00 00 01 86 00 61 00 40 00 00 2d
      skb linear:   00000030: 00 00 00 00 00 00 00 00 03 04 40 e0 00 00 01 2c
      skb linear:   00000040: 00 00 00 78 00 00 00 00 fd 5f 42 68 23 87 a8 81
      skb linear:   00000050: 00 00 00 00 00 00 00 00 01 01 02 40 43 80 00 00
      skb tailroom: 00000000: ...
      skb tailroom: 00000010: ...
      skb tailroom: 00000020: ...
      skb tailroom: 00000030: ...
      
      Call Trace, how it happens exactly:
       ...
       macvlan_handle_frame+0x321/0x425 [macvlan]
       ? macvlan_forward_source+0x110/0x110 [macvlan]
       __netif_receive_skb_core+0x545/0xda0
       ? enqueue_task_fair+0xe5/0x8e0
       ? __netif_receive_skb_one_core+0x36/0x70
       __netif_receive_skb_one_core+0x36/0x70
       process_backlog+0x97/0x140
       net_rx_action+0x1eb/0x350
       ? __hrtimer_run_queues+0x136/0x2e0
       __do_softirq+0xe3/0x383
       do_softirq_own_stack+0x2a/0x40
       </IRQ>
       do_softirq.part.4+0x4e/0x50
       netif_rx_ni+0x60/0xd0
       dev_loopback_xmit+0x83/0xf0
       ip6_finish_output2+0x575/0x590 [ipv6]
       ? ip6_cork_release.isra.1+0x64/0x90 [ipv6]
       ? __ip6_make_skb+0x38d/0x680 [ipv6]
       ? ip6_output+0x6c/0x140 [ipv6]
       ip6_output+0x6c/0x140 [ipv6]
       ip6_send_skb+0x1e/0x60 [ipv6]
       rawv6_sendmsg+0xc4b/0xe10 [ipv6]
       ? proc_put_long+0xd0/0xd0
       ? rw_copy_check_uvector+0x4e/0x110
       ? sock_sendmsg+0x36/0x40
       sock_sendmsg+0x36/0x40
       ___sys_sendmsg+0x2b6/0x2d0
       ? proc_dointvec+0x23/0x30
       ? addrconf_sysctl_forward+0x8d/0x250 [ipv6]
       ? dev_forward_change+0x130/0x130 [ipv6]
       ? _raw_spin_unlock+0x12/0x30
       ? proc_sys_call_handler.isra.14+0x9f/0x110
       ? __call_rcu+0x213/0x510
       ? get_max_files+0x10/0x10
       ? trace_hardirqs_on+0x2c/0xe0
       ? __sys_sendmsg+0x63/0xa0
       __sys_sendmsg+0x63/0xa0
       do_syscall_64+0x6c/0x1e0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      133b3d24
    • Qu Wenruo's avatar
      btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup · 4ab61600
      Qu Wenruo authored
      [ Upstream commit cbab8ade ]
      
      [BUG]
      For the following operation, qgroup is guaranteed to be screwed up due
      to snapshot adding to a new qgroup:
      
        # mkfs.btrfs -f $dev
        # mount $dev $mnt
        # btrfs qgroup en $mnt
        # btrfs subv create $mnt/src
        # xfs_io -f -c "pwrite 0 1m" $mnt/src/file
        # sync
        # btrfs qgroup create 1/0 $mnt/src
        # btrfs subv snapshot -i 1/0 $mnt/src $mnt/snapshot
        # btrfs qgroup show -prce $mnt/src
        qgroupid         rfer         excl     max_rfer     max_excl parent  child
        --------         ----         ----     --------     -------- ------  -----
        0/5          16.00KiB     16.00KiB         none         none ---     ---
        0/257         1.02MiB     16.00KiB         none         none ---     ---
        0/258         1.02MiB     16.00KiB         none         none 1/0     ---
        1/0             0.00B        0.00B         none         none ---     0/258
      	        ^^^^^^^^^^^^^^^^^^^^
      
      [CAUSE]
      The problem is in btrfs_qgroup_inherit(), we don't have good enough
      check to determine if the new relation would break the existing
      accounting.
      
      Unlike btrfs_add_qgroup_relation(), which has proper check to determine
      if we can do quick update without a rescan, in btrfs_qgroup_inherit() we
      can even assign a snapshot to multiple qgroups.
      
      [FIX]
      Fix it by manually marking qgroup inconsistent for snapshot inheritance.
      
      For subvolume creation, since all its extents are exclusively owned, we
      don't need to rescan.
      
      In theory, we should call relation check like quick_update_accounting()
      when doing qgroup inheritance and inform user about qgroup accounting
      inconsistency.
      
      But we don't have good mechanism to relay that back to the user in the
      snapshot creation context, thus we can only silently mark the qgroup
      inconsistent.
      
      Anyway, user shouldn't use qgroup inheritance during snapshot creation,
      and should add qgroup relationship after snapshot creation by 'btrfs
      qgroup assign', which has a much better UI to inform user about qgroup
      inconsistent and kick in rescan automatically.
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarQu Wenruo <wqu@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      4ab61600
    • Finn Thain's avatar
      m68k: mac: Don't call via_flush_cache() on Mac IIfx · 7736adec
      Finn Thain authored
      [ Upstream commit bcc44f6b ]
      
      There is no VIA2 chip on the Mac IIfx, so don't call via_flush_cache().
      This avoids a boot crash which appeared in v5.4.
      
      printk: console [ttyS0] enabled
      printk: bootconsole [debug0] disabled
      printk: bootconsole [debug0] disabled
      Calibrating delay loop... 9.61 BogoMIPS (lpj=48064)
      pid_max: default: 32768 minimum: 301
      Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
      Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
      devtmpfs: initialized
      random: get_random_u32 called from bucket_table_alloc.isra.27+0x68/0x194 with crng_init=0
      clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
      futex hash table entries: 256 (order: -1, 3072 bytes, linear)
      NET: Registered protocol family 16
      Data read fault at 0x00000000 in Super Data (pc=0x8a6a)
      BAD KERNEL BUSERR
      Oops: 00000000
      Modules linked in:
      PC: [<00008a6a>] via_flush_cache+0x12/0x2c
      SR: 2700  SP: 01c1fe3c  a2: 01c24000
      d0: 00001119    d1: 0000000c    d2: 00012000    d3: 0000000f
      d4: 01c06840    d5: 00033b92    a0: 00000000    a1: 00000000
      Process swapper (pid: 1, task=01c24000)
      Frame format=B ssw=0755 isc=0200 isb=fff7 daddr=00000000 dobuf=01c1fed0
      baddr=00008a6e dibuf=0000004e ver=f
      Stack from 01c1fec4:
              01c1fed0 00007d7e 00010080 01c1fedc 0000792e 00000001 01c1fef4 00006b40
              01c80000 00040000 00000006 00000003 01c1ff1c 004a545e 004ff200 00040000
              00000000 00000003 01c06840 00033b92 004a5410 004b6c88 01c1ff84 000021e2
              00000073 00000003 01c06840 00033b92 0038507a 004bb094 004b6ca8 004b6c88
              004b6ca4 004b6c88 000021ae 00020002 00000000 01c0685d 00000000 01c1ffb4
              0049f938 00409c85 01c06840 0045bd40 00000073 00000002 00000002 00000000
      Call Trace: [<00007d7e>] mac_cache_card_flush+0x12/0x1c
       [<00010080>] fix_dnrm+0x2/0x18
       [<0000792e>] cache_push+0x46/0x5a
       [<00006b40>] arch_dma_prep_coherent+0x60/0x6e
       [<00040000>] switched_to_dl+0x76/0xd0
       [<004a545e>] dma_atomic_pool_init+0x4e/0x188
       [<00040000>] switched_to_dl+0x76/0xd0
       [<00033b92>] parse_args+0x0/0x370
       [<004a5410>] dma_atomic_pool_init+0x0/0x188
       [<000021e2>] do_one_initcall+0x34/0x1be
       [<00033b92>] parse_args+0x0/0x370
       [<0038507a>] strcpy+0x0/0x1e
       [<000021ae>] do_one_initcall+0x0/0x1be
       [<00020002>] do_proc_dointvec_conv+0x54/0x74
       [<0049f938>] kernel_init_freeable+0x126/0x190
       [<0049f94c>] kernel_init_freeable+0x13a/0x190
       [<004a5410>] dma_atomic_pool_init+0x0/0x188
       [<00041798>] complete+0x0/0x3c
       [<000b9b0c>] kfree+0x0/0x20a
       [<0038df98>] schedule+0x0/0xd0
       [<0038d604>] kernel_init+0x0/0xda
       [<0038d610>] kernel_init+0xc/0xda
       [<0038d604>] kernel_init+0x0/0xda
       [<00002d38>] ret_from_kernel_thread+0xc/0x14
      Code: 0000 2079 0048 10da 2279 0048 10c8 d3c8 <1011> 0200 fff7 1280 d1f9 0048 10c8 1010 0000 0008 1080 4e5e 4e75 4e56 0000 2039
      Disabling lock debugging due to kernel taint
      Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      Thanks to Stan Johnson for capturing the console log and running git
      bisect.
      
      Git bisect said commit 8e3a68fb ("dma-mapping: make
      dma_atomic_pool_init self-contained") is the first "bad" commit. I don't
      know why. Perhaps mach_l2_flush first became reachable with that commit.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Reported-and-tested-by: default avatarStan Johnson <userm57@yahoo.com>
      Signed-off-by: default avatarFinn Thain <fthain@telegraphics.com.au>
      Cc: Joshua Thompson <funaho@jurai.org>
      Link: https://lore.kernel.org/r/b8bbeef197d6b3898e82ed0d231ad08f575a4b34.1589949122.git.fthain@telegraphics.com.auSigned-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7736adec
    • Arvind Sankar's avatar
      x86/mm: Stop printing BRK addresses · 7fe5e915
      Arvind Sankar authored
      [ Upstream commit 67d631b7 ]
      
      This currently leaks kernel physical addresses into userspace.
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarDave Hansen <dave.hansen@intel.com>
      Link: https://lkml.kernel.org/r/20200229231120.1147527-1-nivedita@alum.mit.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      7fe5e915
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix multi-instance · 06bd7d87
      Nicolas Toromanoff authored
      [ Upstream commit 10b89c43 ]
      
      Ensure CRC algorithm is registered only once in crypto framework when
      there are several instances of CRC devices.
      
      Update the CRC device list management to avoid that only the first CRC
      instance is used.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      06bd7d87
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix run-time self test issue. · a94c7a08
      Nicolas Toromanoff authored
      [ Upstream commit a8cc3128 ]
      
      Fix wrong crc32 initialisation value:
      "alg: shash: stm32_crc32 test failed (wrong result) on test vector 0,
      cfg="init+update+final aligned buffer"
      cra_name="crc32c" expects an init value of 0XFFFFFFFF,
      cra_name="crc32" expects an init value of 0.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a94c7a08
    • Nicolas Toromanoff's avatar
      crypto: stm32/crc32 - fix ext4 chksum BUG_ON() · b5528bda
      Nicolas Toromanoff authored
      [ Upstream commit 49c2c082 ]
      
      Allow use of crc_update without prior call to crc_init.
      And change (and fix) driver to use CRC device even on unaligned buffers.
      
      Fixes: b51dbe90 ("crypto: stm32 - Support for STM32 CRC32 crypto module")
      Signed-off-by: default avatarNicolas Toromanoff <nicolas.toromanoff@st.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b5528bda
    • Serge Semin's avatar
      mips: Add udelay lpj numbers adjustment · 240934c2
      Serge Semin authored
      [ Upstream commit ed26aacf ]
      
      Loops-per-jiffies is a special number which represents a number of
      noop-loop cycles per CPU-scheduler quantum - jiffies. As you
      understand aside from CPU-specific implementation it depends on
      the CPU frequency. So when a platform has the CPU frequency fixed,
      we have no problem and the current udelay interface will work
      just fine. But as soon as CPU-freq driver is enabled and the cores
      frequency changes, we'll end up with distorted udelay's. In order
      to fix this we have to accordinly adjust the per-CPU udelay_val
      (the same as the global loops_per_jiffy) number. This can be done
      in the CPU-freq transition event handler. We subscribe to that event
      in the MIPS arch time-inititalization method.
      Co-developed-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Reviewed-by: default avatarJiaxun Yang <jiaxun.yang@flygoat.com>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      240934c2
    • Serge Semin's avatar
      mips: MAAR: Use more precise address mask · 909b50e8
      Serge Semin authored
      [ Upstream commit bbb5946e ]
      
      Indeed according to the MIPS32 Privileged Resource Architecgture the MAAR
      pair register address field either takes [12:31] bits for non-XPA systems
      and [12:55] otherwise. In any case the current address mask is just
      wrong for 64-bit and 32-bits XPA chips. So lets extend it to 59-bits
      of physical address value. This shall cover the 64-bits architecture and
      systems with XPA enabled, and won't cause any problem for non-XPA 32-bit
      systems, since address values exceeding the architecture specific MAAR
      mask will be just truncated with setting zeros in the unsupported upper
      bits.
      Co-developed-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarAlexey Malahov <Alexey.Malahov@baikalelectronics.ru>
      Signed-off-by: default avatarSerge Semin <Sergey.Semin@baikalelectronics.ru>
      Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
      Cc: Paul Burton <paulburton@kernel.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: devicetree@vger.kernel.org
      Signed-off-by: default avatarThomas Bogendoerfer <tsbogend@alpha.franken.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      909b50e8
    • Arvind Sankar's avatar
      x86/boot: Correct relocation destination on old linkers · 9b7dbeed
      Arvind Sankar authored
      [ Upstream commit 5214028d ]
      
      For the 32-bit kernel, as described in
      
        6d92bc9d ("x86/build: Build compressed x86 kernels as PIE"),
      
      pre-2.26 binutils generates R_386_32 relocations in PIE mode. Since the
      startup code does not perform relocation, any reloc entry with R_386_32
      will remain as 0 in the executing code.
      
      Commit
      
        974f221c ("x86/boot: Move compressed kernel to the end of the
                       decompression buffer")
      
      added a new symbol _end but did not mark it hidden, which doesn't give
      the correct offset on older linkers. This causes the compressed kernel
      to be copied beyond the end of the decompression buffer, rather than
      flush against it. This region of memory may be reserved or already
      allocated for other purposes by the bootloader.
      
      Mark _end as hidden to fix. This changes the relocation from R_386_32 to
      R_386_RELATIVE even on the pre-2.26 binutils.
      
      For 64-bit, this is not strictly necessary, as the 64-bit kernel is only
      built as PIE if the linker supports -z noreloc-overflow, which implies
      binutils-2.27+, but for consistency, mark _end as hidden here too.
      
      The below illustrates the before/after impact of the patch using
      binutils-2.25 and gcc-4.6.4 (locally compiled from source) and QEMU.
      
        Disassembly before patch:
          48:   8b 86 60 02 00 00       mov    0x260(%esi),%eax
          4e:   2d 00 00 00 00          sub    $0x0,%eax
                                4f: R_386_32    _end
        Disassembly after patch:
          48:   8b 86 60 02 00 00       mov    0x260(%esi),%eax
          4e:   2d 00 f0 76 00          sub    $0x76f000,%eax
                                4f: R_386_RELATIVE      *ABS*
      
      Dump from extract_kernel before patch:
      	early console in extract_kernel
      	input_data: 0x0207c098 <--- this is at output + init_size
      	input_len: 0x0074fef1
      	output: 0x01000000
      	output_len: 0x00fa63d0
      	kernel_total_size: 0x0107c000
      	needed_size: 0x0107c000
      
      Dump from extract_kernel after patch:
      	early console in extract_kernel
      	input_data: 0x0190d098 <--- this is at output + init_size - _end
      	input_len: 0x0074fef1
      	output: 0x01000000
      	output_len: 0x00fa63d0
      	kernel_total_size: 0x0107c000
      	needed_size: 0x0107c000
      
      Fixes: 974f221c ("x86/boot: Move compressed kernel to the end of the decompression buffer")
      Signed-off-by: default avatarArvind Sankar <nivedita@alum.mit.edu>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Link: https://lkml.kernel.org/r/20200207214926.3564079-1-nivedita@alum.mit.eduSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      9b7dbeed
    • Pali Rohár's avatar
      mwifiex: Fix memory corruption in dump_station · be2ce127
      Pali Rohár authored
      [ Upstream commit 3aa42bae ]
      
      The mwifiex_cfg80211_dump_station() uses static variable for iterating
      over a linked list of all associated stations (when the driver is in UAP
      role). This has a race condition if .dump_station is called in parallel
      for multiple interfaces. This corruption can be triggered by registering
      multiple SSIDs and calling, in parallel for multiple interfaces
          iw dev <iface> station dump
      
      [16750.719775] Unable to handle kernel paging request at virtual address dead000000000110
      ...
      [16750.899173] Call trace:
      [16750.901696]  mwifiex_cfg80211_dump_station+0x94/0x100 [mwifiex]
      [16750.907824]  nl80211_dump_station+0xbc/0x278 [cfg80211]
      [16750.913160]  netlink_dump+0xe8/0x320
      [16750.916827]  netlink_recvmsg+0x1b4/0x338
      [16750.920861]  ____sys_recvmsg+0x7c/0x2b0
      [16750.924801]  ___sys_recvmsg+0x70/0x98
      [16750.928564]  __sys_recvmsg+0x58/0xa0
      [16750.932238]  __arm64_sys_recvmsg+0x28/0x30
      [16750.936453]  el0_svc_common.constprop.3+0x90/0x158
      [16750.941378]  do_el0_svc+0x74/0x90
      [16750.944784]  el0_sync_handler+0x12c/0x1a8
      [16750.948903]  el0_sync+0x114/0x140
      [16750.952312] Code: f9400003 f907f423 eb02007f 54fffd60 (b9401060)
      [16750.958583] ---[ end trace c8ad181c2f4b8576 ]---
      
      This patch drops the use of the static iterator, and instead every time
      the function is called iterates to the idx-th position of the
      linked-list.
      
      It would be better to convert the code not to use linked list for
      associated stations storage (since the chip has a limited number of
      associated stations anyway - it could just be an array). Such a change
      may be proposed in the future. In the meantime this patch can backported
      into stable kernels in this simple form.
      
      Fixes: 8baca1a3 ("mwifiex: dump station support in uap mode")
      Signed-off-by: default avatarPali Rohár <pali@kernel.org>
      Acked-by: default avatarGanapathi Bhat <ganapathi.bhat@nxp.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200515075924.13841-1-pali@kernel.orgSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      be2ce127
    • Dan Carpenter's avatar
      rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() · 2048a786
      Dan Carpenter authored
      [ Upstream commit beb12813 ]
      
      Seven years ago we tried to fix a leak but actually introduced a double
      free instead.  It was an understandable mistake because the code was a
      bit confusing and the free was done in the wrong place.  The "skb"
      pointer is freed in both _rtl_usb_tx_urb_setup() and _rtl_usb_transmit().
      The free belongs _rtl_usb_transmit() instead of _rtl_usb_tx_urb_setup()
      and I've cleaned the code up a bit to hopefully make it more clear.
      
      Fixes: 36ef0b47 ("rtlwifi: usb: add missing freeing of skbuff")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Link: https://lore.kernel.org/r/20200513093951.GD347693@mwandaSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      2048a786