1. 21 Sep, 2019 2 commits
  2. 19 Sep, 2019 38 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.19.74 · dbc29aff
      Greg Kroah-Hartman authored
      dbc29aff
    • Linus Torvalds's avatar
      x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning · 9d587fe2
      Linus Torvalds authored
      commit 42e0e954 upstream.
      
      One of the very few warnings I have in the current build comes from
      arch/x86/boot/edd.c, where I get the following with a gcc9 build:
      
         arch/x86/boot/edd.c: In function ‘query_edd’:
         arch/x86/boot/edd.c:148:11: warning: taking address of packed member of ‘struct boot_params’ may result in an unaligned pointer value [-Waddress-of-packed-member]
           148 |  mbrptr = boot_params.edd_mbr_sig_buffer;
               |           ^~~~~~~~~~~
      
      This warning triggers because we throw away all the CFLAGS and then make
      a new set for REALMODE_CFLAGS, so the -Wno-address-of-packed-member we
      added in the following commit is not present:
      
        6f303d60 ("gcc-9: silence 'address-of-packed-member' warning")
      
      The simplest solution for now is to adjust the warning for this version
      of CFLAGS as well, but it would definitely make sense to examine whether
      REALMODE_CFLAGS could be derived from CFLAGS, so that it picks up changes
      in the compiler flags environment automatically.
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Acked-by: default avatarBorislav Petkov <bp@alien8.de>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d587fe2
    • Jean Delvare's avatar
      nvmem: Use the same permissions for eeprom as for nvmem · 96c08711
      Jean Delvare authored
      commit e70d8b28 upstream.
      
      The compatibility "eeprom" attribute is currently root-only no
      matter what the configuration says. The "nvmem" attribute does
      respect the setting of the root_only configuration bit, so do the
      same for "eeprom".
      Signed-off-by: default avatarJean Delvare <jdelvare@suse.de>
      Fixes: b6c217ab ("nvmem: Add backwards compatibility support for older EEPROM drivers.")
      Reviewed-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Link: https://lore.kernel.org/r/20190728184255.563332e6@endymionSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      96c08711
    • Hui Peng's avatar
      rsi: fix a double free bug in rsi_91x_deinit() · 3622d621
      Hui Peng authored
      commit 8b51dc72 upstream.
      
      `dev` (struct rsi_91x_usbdev *) field of adapter
      (struct rsi_91x_usbdev *) is allocated  and initialized in
      `rsi_init_usb_interface`. If any error is detected in information
      read from the device side,  `rsi_init_usb_interface` will be
      freed. However, in the higher level error handling code in
      `rsi_probe`, if error is detected, `rsi_91x_deinit` is called
      again, in which `dev` will be freed again, resulting double free.
      
      This patch fixes the double free by removing the free operation on
      `dev` in `rsi_init_usb_interface`, because `rsi_91x_deinit` is also
      used in `rsi_disconnect`, in that code path, the `dev` field is not
       (and thus needs to be) freed.
      
      This bug was found in v4.19, but is also present in the latest version
      of kernel. Fixes CVE-2019-15504.
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Reviewed-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3622d621
    • Steffen Dirkwinkel's avatar
      platform/x86: pmc_atom: Add CB4063 Beckhoff Automation board to critclk_systems DMI table · 780f3aad
      Steffen Dirkwinkel authored
      commit 9452fbf5 upstream.
      
      The CB4063 board uses pmc_plt_clk* clocks for ethernet controllers. This
      adds it to the critclk_systems DMI table so the clocks are marked as
      CLK_CRITICAL and not turned off.
      
      Fixes: 648e9218 ("clk: x86: Stop marking clocks as CLK_IS_CRITICAL")
      Signed-off-by: default avatarSteffen Dirkwinkel <s.dirkwinkel@beckhoff.com>
      Signed-off-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      780f3aad
    • Yang Yingliang's avatar
      modules: fix compile error if don't have strict module rwx · 52bfcc9c
      Yang Yingliang authored
      commit 93651f80 upstream.
      
      If CONFIG_ARCH_HAS_STRICT_MODULE_RWX is not defined,
      we need stub for module_enable_nx() and module_enable_x().
      
      If CONFIG_ARCH_HAS_STRICT_MODULE_RWX is defined, but
      CONFIG_STRICT_MODULE_RWX is disabled, we need stub for
      module_enable_nx.
      
      Move frob_text() outside of the CONFIG_STRICT_MODULE_RWX,
      because it is needed anyway.
      
      Fixes: 2eef1399 ("modules: fix BUG when load module with rodata=n")
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      52bfcc9c
    • Yang Yingliang's avatar
      modules: fix BUG when load module with rodata=n · ae415d7a
      Yang Yingliang authored
      commit 2eef1399 upstream.
      
      When loading a module with rodata=n, it causes an executing
      NX-protected page BUG.
      
      [   32.379191] kernel tried to execute NX-protected page - exploit attempt? (uid: 0)
      [   32.382917] BUG: unable to handle page fault for address: ffffffffc0005000
      [   32.385947] #PF: supervisor instruction fetch in kernel mode
      [   32.387662] #PF: error_code(0x0011) - permissions violation
      [   32.389352] PGD 240c067 P4D 240c067 PUD 240e067 PMD 421a52067 PTE 8000000421a53063
      [   32.391396] Oops: 0011 [#1] SMP PTI
      [   32.392478] CPU: 7 PID: 2697 Comm: insmod Tainted: G           O      5.2.0-rc5+ #202
      [   32.394588] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      [   32.398157] RIP: 0010:ko_test_init+0x0/0x1000 [ko_test]
      [   32.399662] Code: Bad RIP value.
      [   32.400621] RSP: 0018:ffffc900029f3ca8 EFLAGS: 00010246
      [   32.402171] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
      [   32.404332] RDX: 00000000000004c7 RSI: 0000000000000cc0 RDI: ffffffffc0005000
      [   32.406347] RBP: ffffffffc0005000 R08: ffff88842fbebc40 R09: ffffffff810ede4a
      [   32.408392] R10: ffffea00108e3480 R11: 0000000000000000 R12: ffff88842bee21a0
      [   32.410472] R13: 0000000000000001 R14: 0000000000000001 R15: ffffc900029f3e78
      [   32.412609] FS:  00007fb4f0c0a700(0000) GS:ffff88842fbc0000(0000) knlGS:0000000000000000
      [   32.414722] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   32.416290] CR2: ffffffffc0004fd6 CR3: 0000000421a90004 CR4: 0000000000020ee0
      [   32.418471] Call Trace:
      [   32.419136]  do_one_initcall+0x41/0x1df
      [   32.420199]  ? _cond_resched+0x10/0x40
      [   32.421433]  ? kmem_cache_alloc_trace+0x36/0x160
      [   32.422827]  do_init_module+0x56/0x1f7
      [   32.423946]  load_module+0x1e67/0x2580
      [   32.424947]  ? __alloc_pages_nodemask+0x150/0x2c0
      [   32.426413]  ? map_vm_area+0x2d/0x40
      [   32.427530]  ? __vmalloc_node_range+0x1ef/0x260
      [   32.428850]  ? __do_sys_init_module+0x135/0x170
      [   32.430060]  ? _cond_resched+0x10/0x40
      [   32.431249]  __do_sys_init_module+0x135/0x170
      [   32.432547]  do_syscall_64+0x43/0x120
      [   32.433853]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Because if rodata=n, set_memory_x() can't be called, fix this by
      calling set_memory_x in complete_formation();
      
      Fixes: f2c65fb3 ("x86/modules: Avoid breaking W^X while loading modules")
      Suggested-by: default avatarJian Cheng <cj.chengjian@huawei.com>
      Reviewed-by: default avatarNadav Amit <namit@vmware.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarJessica Yu <jeyu@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ae415d7a
    • Olivier Moysan's avatar
      iio: adc: stm32-dfsdm: fix data type · 0ae0c43a
      Olivier Moysan authored
      commit c6013bf5 upstream.
      
      Fix the data type as DFSDM raw output is complements 2,
      24bits left aligned in a 32-bit register.
      This change does not affect AUDIO path
      - Set data as signed for IIO (as for AUDIO)
      - Set 8 bit right shift for IIO.
      The 8 LSBs bits of data contains channel info and are masked.
      Signed-off-by: default avatarOlivier Moysan <olivier.moysan@st.com>
      Fixes: e2e6771c ("IIO: ADC: add STM32 DFSDM sigma delta ADC support")
      Acked-by: default avatarFabrice Gasnier <fabrice.gasnier@st.com>
      Signed-off-by: default avatarJonathan Cameron <Jonathan.Cameron@huawei.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ae0c43a
    • Mario Limonciello's avatar
      Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" · acf77c41
      Mario Limonciello authored
      commit 1ffdb51f upstream.
      
      This reverts commit a0085f25.
      
      This commit has caused regressions in notebooks that support suspend
      to idle such as the XPS 9360, XPS 9370 and XPS 9380.
      
      These notebooks will wakeup from suspend to idle from an unsolicited
      advertising packet from an unpaired BLE device.
      
      In a bug report it was sugggested that this is caused by a generic
      lack of LE privacy support.  Revert this commit until that behavior
      can be avoided by the kernel.
      
      Fixes: a0085f25 ("Bluetooth: btusb: driver to enable the usb-wakeup feature")
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=200039
      Link: https://marc.info/?l=linux-bluetooth&m=156441081612627&w=2
      Link: https://chromium-review.googlesource.com/c/chromiumos/third_party/kernel/+/750073/
      CC: Bastien Nocera <hadess@hadess.net>
      CC: Christian Kellner <ckellner@redhat.com>
      CC: Sukumar Ghorai <sukumar.ghorai@intel.com>
      Signed-off-by: default avatarMario Limonciello <mario.limonciello@dell.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      acf77c41
    • Nishka Dasgupta's avatar
      drm/mediatek: mtk_drm_drv.c: Add of_node_put() before goto · a03ed289
      Nishka Dasgupta authored
      commit 165d42c0 upstream.
      
      Each iteration of for_each_child_of_node puts the previous
      node, but in the case of a goto from the middle of the loop, there is
      no put, thus causing a memory leak. Hence add an of_node_put before the
      goto in two places.
      Issue found with Coccinelle.
      
      Fixes: 119f5173 (drm/mediatek: Add DRM Driver for Mediatek SoC MT8173)
      Signed-off-by: default avatarNishka Dasgupta <nishkadg.linux@gmail.com>
      Signed-off-by: default avatarCK Hu <ck.hu@mediatek.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a03ed289
    • Hans de Goede's avatar
      drm: panel-orientation-quirks: Add extra quirk table entry for GPD MicroPC · d13a836d
      Hans de Goede authored
      commit dae1ccee upstream.
      
      Newer GPD MicroPC BIOS versions have proper DMI strings, add an extra quirk
      table entry for these new strings. This is good news, as this means that we
      no longer have to update the BIOS dates list with every BIOS update.
      
      Fixes: 652b8b08("drm: panel-orientation-quirks: Add quirk for GPD MicroPC")
      Acked-by: default avatarMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190624154014.8557-2-hdegoede@redhat.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d13a836d
    • Andrew F. Davis's avatar
      firmware: ti_sci: Always request response from firmware · 4b30a069
      Andrew F. Davis authored
      commit 66f030ea upstream.
      
      TI-SCI firmware will only respond to messages when the
      TI_SCI_FLAG_REQ_ACK_ON_PROCESSED flag is set. Most messages already do
      this, set this for the ones that do not.
      
      This will be enforced in future firmware that better match the TI-SCI
      specifications, this patch will not break users of existing firmware.
      
      Fixes: aa276781 ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol")
      Signed-off-by: default avatarAndrew F. Davis <afd@ti.com>
      Acked-by: default avatarNishanth Menon <nm@ti.com>
      Tested-by: default avatarAlejandro Hernandez <ajhernandez@ti.com>
      Signed-off-by: default avatarTero Kristo <t-kristo@ti.com>
      Signed-off-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b30a069
    • Christophe Leroy's avatar
      crypto: talitos - HMAC SNOOP NO AFEU mode requires SW icv checking. · 3dfc787f
      Christophe Leroy authored
      commit 4bbfb839 upstream.
      
      In that mode, hardware ICV verification is not supported.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 7405c8d7 ("crypto: talitos - templates for AEAD using HMAC_SNOOP_NO_AFEU")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3dfc787f
    • Christophe Leroy's avatar
      crypto: talitos - Do not modify req->cryptlen on decryption. · e89d4cb6
      Christophe Leroy authored
      commit 7ede4c36 upstream.
      
      For decrypt, req->cryptlen includes the size of the authentication
      part while all functions of the driver expect cryptlen to be
      the size of the encrypted data.
      
      As it is not expected to change req->cryptlen, this patch
      implements local calculation of cryptlen.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 9c4a7965 ("crypto: talitos - Freescale integrated security engine (SEC) driver")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e89d4cb6
    • Christophe Leroy's avatar
      crypto: talitos - fix ECB algs ivsize · 9aff4077
      Christophe Leroy authored
      commit d84cc9c9 upstream.
      
      ECB's ivsize must be 0.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 5e75ae1b ("crypto: talitos - add new crypto modes")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9aff4077
    • Christophe Leroy's avatar
      crypto: talitos - check data blocksize in ablkcipher. · c4d7148e
      Christophe Leroy authored
      commit ee483d32 upstream.
      
      When data size is not a multiple of the alg's block size,
      the SEC generates an error interrupt and dumps the registers.
      And for NULL size, the SEC does just nothing and the interrupt
      is awaited forever.
      
      This patch ensures the data size is correct before submitting
      the request to the SEC engine.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 4de9d0b5 ("crypto: talitos - Add ablkcipher algorithms")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4d7148e
    • Christophe Leroy's avatar
      crypto: talitos - fix CTR alg blocksize · 02ebbb4f
      Christophe Leroy authored
      commit b9a05b60 upstream.
      
      CTR has a blocksize of 1.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 5e75ae1b ("crypto: talitos - add new crypto modes")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      02ebbb4f
    • Christophe Leroy's avatar
      crypto: talitos - check AES key size · 39fa02a3
      Christophe Leroy authored
      commit 1ba34e71 upstream.
      
      Although the HW accepts any size and silently truncates
      it to the correct length, the extra tests expects EINVAL
      to be returned when the key size is not valid.
      Signed-off-by: default avatarChristophe Leroy <christophe.leroy@c-s.fr>
      Fixes: 4de9d0b5 ("crypto: talitos - Add ablkcipher algorithms")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      39fa02a3
    • Muchun Song's avatar
      driver core: Fix use-after-free and double free on glue directory · e1666bcb
      Muchun Song authored
      commit ac43432c upstream.
      
      There is a race condition between removing glue directory and adding a new
      device under the glue dir. It can be reproduced in following test:
      
      CPU1:                                         CPU2:
      
      device_add()
        get_device_parent()
          class_dir_create_and_add()
            kobject_add_internal()
              create_dir()    // create glue_dir
      
                                                    device_add()
                                                      get_device_parent()
                                                        kobject_get() // get glue_dir
      
      device_del()
        cleanup_glue_dir()
          kobject_del(glue_dir)
      
                                                      kobject_add()
                                                        kobject_add_internal()
                                                          create_dir() // in glue_dir
                                                            sysfs_create_dir_ns()
                                                              kernfs_create_dir_ns(sd)
      
            sysfs_remove_dir() // glue_dir->sd=NULL
            sysfs_put()        // free glue_dir->sd
      
                                                                // sd is freed
                                                                kernfs_new_node(sd)
                                                                  kernfs_get(glue_dir)
                                                                  kernfs_add_one()
                                                                  kernfs_put()
      
      Before CPU1 remove last child device under glue dir, if CPU2 add a new
      device under glue dir, the glue_dir kobject reference count will be
      increase to 2 via kobject_get() in get_device_parent(). And CPU2 has
      been called kernfs_create_dir_ns(), but not call kernfs_new_node().
      Meanwhile, CPU1 call sysfs_remove_dir() and sysfs_put(). This result in
      glue_dir->sd is freed and it's reference count will be 0. Then CPU2 call
      kernfs_get(glue_dir) will trigger a warning in kernfs_get() and increase
      it's reference count to 1. Because glue_dir->sd is freed by CPU1, the next
      call kernfs_add_one() by CPU2 will fail(This is also use-after-free)
      and call kernfs_put() to decrease reference count. Because the reference
      count is decremented to 0, it will also call kmem_cache_free() to free
      the glue_dir->sd again. This will result in double free.
      
      In order to avoid this happening, we also should make sure that kernfs_node
      for glue_dir is released in CPU1 only when refcount for glue_dir kobj is
      1 to fix this race.
      
      The following calltrace is captured in kernel 4.14 with the following patch
      applied:
      
      commit 726e4109 ("drivers: core: Remove glue dirs from sysfs earlier")
      
      --------------------------------------------------------------------------
      [    3.633703] WARNING: CPU: 4 PID: 513 at .../fs/kernfs/dir.c:494
                      Here is WARN_ON(!atomic_read(&kn->count) in kernfs_get().
      ....
      [    3.633986] Call trace:
      [    3.633991]  kernfs_create_dir_ns+0xa8/0xb0
      [    3.633994]  sysfs_create_dir_ns+0x54/0xe8
      [    3.634001]  kobject_add_internal+0x22c/0x3f0
      [    3.634005]  kobject_add+0xe4/0x118
      [    3.634011]  device_add+0x200/0x870
      [    3.634017]  _request_firmware+0x958/0xc38
      [    3.634020]  request_firmware_into_buf+0x4c/0x70
      ....
      [    3.634064] kernel BUG at .../mm/slub.c:294!
                      Here is BUG_ON(object == fp) in set_freepointer().
      ....
      [    3.634346] Call trace:
      [    3.634351]  kmem_cache_free+0x504/0x6b8
      [    3.634355]  kernfs_put+0x14c/0x1d8
      [    3.634359]  kernfs_create_dir_ns+0x88/0xb0
      [    3.634362]  sysfs_create_dir_ns+0x54/0xe8
      [    3.634366]  kobject_add_internal+0x22c/0x3f0
      [    3.634370]  kobject_add+0xe4/0x118
      [    3.634374]  device_add+0x200/0x870
      [    3.634378]  _request_firmware+0x958/0xc38
      [    3.634381]  request_firmware_into_buf+0x4c/0x70
      --------------------------------------------------------------------------
      
      Fixes: 726e4109 ("drivers: core: Remove glue dirs from sysfs earlier")
      Signed-off-by: default avatarMuchun Song <smuchun@gmail.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarPrateek Sood <prsood@codeaurora.org>
      Link: https://lore.kernel.org/r/20190727032122.24639-1-smuchun@gmail.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e1666bcb
    • Richard Weinberger's avatar
      ubifs: Correctly use tnc_next() in search_dh_cookie() · 72cd230b
      Richard Weinberger authored
      commit bacfa94b upstream.
      
      Commit c877154d fixed an uninitialized variable and optimized
      the function to not call tnc_next() in the first iteration of the
      loop. While this seemed perfectly legit and wise, it turned out to
      be illegal.
      If the lookup function does not find an exact match it will rewind
      the cursor by 1.
      The rewinded cursor will not match the name hash we are looking for
      and this results in a spurious -ENOENT.
      So we need to move to the next entry in case of an non-exact match,
      but not if the match was exact.
      
      While we are here, update the documentation to avoid further confusion.
      
      Cc: Hyunchul Lee <hyc.lee@gmail.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Fixes: c877154d ("ubifs: Fix uninitialized variable in search_dh_cookie()")
      Fixes: 781f675e ("ubifs: Fix unlink code wrt. double hash lookups")
      Signed-off-by: default avatarRichard Weinberger <richard@nod.at>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72cd230b
    • Kent Gibson's avatar
      gpio: fix line flag validation in lineevent_create · a6529008
      Kent Gibson authored
      commit 5ca2f54b upstream.
      
      lineevent_create should not allow any of GPIOHANDLE_REQUEST_OUTPUT,
      GPIOHANDLE_REQUEST_OPEN_DRAIN or GPIOHANDLE_REQUEST_OPEN_SOURCE to be set.
      
      Fixes: d7c51b47 ("gpio: userspace ABI for reading/writing GPIO lines")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarKent Gibson <warthog618@gmail.com>
      Signed-off-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6529008
    • Alex Williamson's avatar
      PCI: Always allow probing with driver_override · 0f4095f3
      Alex Williamson authored
      commit 2d2f4273 upstream.
      
      Commit 0e7df224 ("PCI: Add sysfs sriov_drivers_autoprobe to control
      VF driver binding") introduced the sriov_drivers_autoprobe attribute
      which allows users to prevent the kernel from automatically probing a
      driver for new VFs as they are created.  This allows VFs to be spawned
      without automatically binding the new device to a host driver, such as
      in cases where the user intends to use the device only with a meta
      driver like vfio-pci.  However, the current implementation prevents any
      use of drivers_probe with the VF while sriov_drivers_autoprobe=0.  This
      blocks the now current general practice of setting driver_override
      followed by using drivers_probe to bind a device to a specified driver.
      
      The kernel never automatically sets a driver_override therefore it seems
      we can assume a driver_override reflects the intent of the user.  Also,
      probing a device using a driver_override match seems outside the scope
      of the 'auto' part of sriov_drivers_autoprobe.  Therefore, let's allow
      driver_override matches regardless of sriov_drivers_autoprobe, which we
      can do by simply testing if a driver_override is set for a device as a
      'can probe' condition.
      
      Fixes: 0e7df224 ("PCI: Add sysfs sriov_drivers_autoprobe to control VF driver binding")
      Link: https://lore.kernel.org/lkml/155742996741.21878.569845487290798703.stgit@gimli.home
      Link: https://lore.kernel.org/linux-pci/155672991496.20698.4279330795743262888.stgit@gimli.home/T/#uSigned-off-by: default avatarAlex Williamson <alex.williamson@redhat.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f4095f3
    • Xiaolei Li's avatar
      mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue · 70facf93
      Xiaolei Li authored
      commit 336d4b13 upstream.
      
      One main goal of the function mtk_nfc_update_ecc_stats is to check
      whether sectors are all empty. If they are empty, set these sectors's
      data buffer and OOB buffer as 0xff.
      
      But now, the sector OOB buffer pointer is wrongly assigned. We always
      do memset from sector 0.
      
      To fix this issue, pass start sector number to make OOB buffer pointer
      be properly assigned.
      
      Fixes: 1d6b1e46 ("mtd: mediatek: driver for MTK Smart Device")
      Signed-off-by: default avatarXiaolei Li <xiaolei.li@mediatek.com>
      Reviewed-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      70facf93
    • Douglas Anderson's avatar
      clk: rockchip: Don't yell about bad mmc phases when getting · 6da56f89
      Douglas Anderson authored
      commit 6943b839 upstream.
      
      At boot time, my rk3288-veyron devices yell with 8 lines that look
      like this:
        [    0.000000] rockchip_mmc_get_phase: invalid clk rate
      
      This is because the clock framework at clk_register() time tries to
      get the phase but we don't have a parent yet.
      
      While the errors appear to be harmless they are still ugly and, in
      general, we don't want yells like this in the log unless they are
      important.
      
      There's no real reason to be yelling here.  We can still return
      -EINVAL to indicate that the phase makes no sense without a parent.
      If someone really tries to do tuning and the clock is reported as 0
      then we'll see the yells in rockchip_mmc_set_phase().
      
      Fixes: 4bf59902 ("clk: rockchip: Prevent calculating mmc phase if clock rate is zero")
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Signed-off-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6da56f89
    • Neil Armstrong's avatar
      drm/meson: Add support for XBGR8888 & ABGR8888 formats · a63416f3
      Neil Armstrong authored
      commit 5ffff441 upstream.
      
      Add missing XBGR8888 & ABGR8888 formats variants from the primary plane.
      
      Fixes: bbbe775e ("drm: Add support for Amlogic Meson Graphic Controller")
      Signed-off-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Reviewed-by: default avatarKevin Hilman <khilman@baylibre.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190429075238.7884-1-narmstrong@baylibre.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a63416f3
    • Suraj Jitindar Singh's avatar
      powerpc: Add barrier_nospec to raw_copy_in_user() · d9e8b4ba
      Suraj Jitindar Singh authored
      commit 6fbcdd59 upstream.
      
      Commit ddf35cf3 ("powerpc: Use barrier_nospec in copy_from_user()")
      Added barrier_nospec before loading from user-controlled pointers. The
      intention was to order the load from the potentially user-controlled
      pointer vs a previous branch based on an access_ok() check or similar.
      
      In order to achieve the same result, add a barrier_nospec to the
      raw_copy_in_user() function before loading from such a user-controlled
      pointer.
      
      Fixes: ddf35cf3 ("powerpc: Use barrier_nospec in copy_from_user()")
      Signed-off-by: default avatarSuraj Jitindar Singh <sjitindarsingh@gmail.com>
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d9e8b4ba
    • Steve Wahl's avatar
      x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to... · eb020b77
      Steve Wahl authored
      x86/purgatory: Change compiler flags from -mcmodel=kernel to -mcmodel=large to fix kexec relocation errors
      
      commit e16c2983 upstream.
      
      The last change to this Makefile caused relocation errors when loading
      a kdump kernel.  Restore -mcmodel=large (not -mcmodel=kernel),
      -ffreestanding, and -fno-zero-initialized-bsss, without reverting to
      the former practice of resetting KBUILD_CFLAGS.
      
      Purgatory.ro is a standalone binary that is not linked against the
      rest of the kernel.  Its image is copied into an array that is linked
      to the kernel, and from there kexec relocates it wherever it desires.
      
      With the previous change to compiler flags, the error "kexec: Overflow
      in relocation type 11 value 0x11fffd000" was encountered when trying
      to load the crash kernel.  This is from kexec code trying to relocate
      the purgatory.ro object.
      
      From the error message, relocation type 11 is R_X86_64_32S.  The
      x86_64 ABI says:
      
        "The R_X86_64_32 and R_X86_64_32S relocations truncate the
         computed value to 32-bits.  The linker must verify that the
         generated value for the R_X86_64_32 (R_X86_64_32S) relocation
         zero-extends (sign-extends) to the original 64-bit value."
      
      This type of relocation doesn't work when kexec chooses to place the
      purgatory binary in memory that is not reachable with 32 bit
      addresses.
      
      The compiler flag -mcmodel=kernel allows those type of relocations to
      be emitted, so revert to using -mcmodel=large as was done before.
      
      Also restore the -ffreestanding and -fno-zero-initialized-bss flags
      because they are appropriate for a stand alone piece of object code
      which doesn't explicitly zero the bss, and one other report has said
      undefined symbols are encountered without -ffreestanding.
      
      These identical compiler flag changes need to happen for every object
      that becomes part of the purgatory.ro object, so gather them together
      first into PURGATORY_CFLAGS_REMOVE and PURGATORY_CFLAGS, and then
      apply them to each of the objects that have C source.  Do not apply
      any of these flags to kexec-purgatory.o, which is not part of the
      standalone object but part of the kernel proper.
      Tested-by: default avatarVaibhav Rustagi <vaibhavrustagi@google.com>
      Tested-by: default avatarAndreas Smas <andreas@lonelycoder.com>
      Signed-off-by: default avatarSteve Wahl <steve.wahl@hpe.com>
      Reviewed-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: H. Peter Anvin <hpa@zytor.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: None
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: clang-built-linux@googlegroups.com
      Cc: dimitri.sivanich@hpe.com
      Cc: mike.travis@hpe.com
      Cc: russ.anderson@hpe.com
      Fixes: b059f801 ("x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS")
      Link: https://lkml.kernel.org/r/20190905202346.GA26595@swahl-linuxSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Cc: Andreas Smas <andreas@lonelycoder.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      
      eb020b77
    • Paolo Bonzini's avatar
      KVM: nVMX: handle page fault in vmread · 73c31bd9
      Paolo Bonzini authored
      commit f7eea636 upstream.
      
      The implementation of vmread to memory is still incomplete, as it
      lacks the ability to do vmread to I/O memory just like vmptrst.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73c31bd9
    • Fuqian Huang's avatar
      KVM: x86: work around leak of uninitialized stack contents · 6e60900c
      Fuqian Huang authored
      commit 541ab2ae upstream.
      
      Emulation of VMPTRST can incorrectly inject a page fault
      when passed an operand that points to an MMIO address.
      The page fault will use uninitialized kernel stack memory
      as the CR2 and error code.
      
      The right behavior would be to abort the VM with a KVM_EXIT_INTERNAL_ERROR
      exit to userspace; however, it is not an easy fix, so for now just ensure
      that the error code and CR2 are zero.
      Signed-off-by: default avatarFuqian Huang <huangfq.daxian@gmail.com>
      Cc: stable@vger.kernel.org
      [add comment]
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6e60900c
    • Thomas Huth's avatar
      KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl · 09a9f894
      Thomas Huth authored
      commit 53936b5b upstream.
      
      When the userspace program runs the KVM_S390_INTERRUPT ioctl to inject
      an interrupt, we convert them from the legacy struct kvm_s390_interrupt
      to the new struct kvm_s390_irq via the s390int_to_s390irq() function.
      However, this function does not take care of all types of interrupts
      that we can inject into the guest later (see do_inject_vcpu()). Since we
      do not clear out the s390irq values before calling s390int_to_s390irq(),
      there is a chance that we copy random data from the kernel stack which
      could be leaked to the userspace later.
      
      Specifically, the problem exists with the KVM_S390_INT_PFAULT_INIT
      interrupt: s390int_to_s390irq() does not handle it, and the function
      __inject_pfault_init() later copies irq->u.ext which contains the
      random kernel stack data. This data can then be leaked either to
      the guest memory in __deliver_pfault_init(), or the userspace might
      retrieve it directly with the KVM_S390_GET_IRQ_STATE ioctl.
      
      Fix it by handling that interrupt type in s390int_to_s390irq(), too,
      and by making sure that the s390irq struct is properly pre-initialized.
      And while we're at it, make sure that s390int_to_s390irq() now
      directly returns -EINVAL for unknown interrupt types, so that we
      immediately get a proper error code in case we add more interrupt
      types to do_inject_vcpu() without updating s390int_to_s390irq()
      sometime in the future.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarJanosch Frank <frankja@linux.ibm.com>
      Signed-off-by: default avatarThomas Huth <thuth@redhat.com>
      Link: https://lore.kernel.org/kvm/20190912115438.25761-1-thuth@redhat.comSigned-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      09a9f894
    • Igor Mammedov's avatar
      KVM: s390: kvm_s390_vm_start_migration: check dirty_bitmap before using it as target for memset() · 9f8a2825
      Igor Mammedov authored
      commit 13a17cc0 upstream.
      
      If userspace doesn't set KVM_MEM_LOG_DIRTY_PAGES on memslot before calling
      kvm_s390_vm_start_migration(), kernel will oops with:
      
        Unable to handle kernel pointer dereference in virtual kernel address space
        Failing address: 0000000000000000 TEID: 0000000000000483
        Fault in home space mode while using kernel ASCE.
        AS:0000000002a2000b R2:00000001bff8c00b R3:00000001bff88007 S:00000001bff91000 P:000000000000003d
        Oops: 0004 ilc:2 [#1] SMP
        ...
        Call Trace:
        ([<001fffff804ec552>] kvm_s390_vm_set_attr+0x347a/0x3828 [kvm])
         [<001fffff804ecfc0>] kvm_arch_vm_ioctl+0x6c0/0x1998 [kvm]
         [<001fffff804b67e4>] kvm_vm_ioctl+0x51c/0x11a8 [kvm]
         [<00000000008ba572>] do_vfs_ioctl+0x1d2/0xe58
         [<00000000008bb284>] ksys_ioctl+0x8c/0xb8
         [<00000000008bb2e2>] sys_ioctl+0x32/0x40
         [<000000000175552c>] system_call+0x2b8/0x2d8
        INFO: lockdep is turned off.
        Last Breaking-Event-Address:
         [<0000000000dbaf60>] __memset+0xc/0xa0
      
      due to ms->dirty_bitmap being NULL, which might crash the host.
      
      Make sure that ms->dirty_bitmap is set before using it or
      return -EINVAL otherwise.
      
      Cc: <stable@vger.kernel.org>
      Fixes: afdad616 ("KVM: s390: Fix storage attributes migration with memory slots")
      Signed-off-by: default avatarIgor Mammedov <imammedo@redhat.com>
      Link: https://lore.kernel.org/kvm/20190911075218.29153-1-imammedo@redhat.com/Reviewed-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reviewed-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarClaudio Imbrenda <imbrenda@linux.ibm.com>
      Reviewed-by: default avatarCornelia Huck <cohuck@redhat.com>
      Reviewed-by: default avatarJanosch Frank <frankja@linux.ibm.com>
      Signed-off-by: default avatarJanosch Frank <frankja@linux.ibm.com>
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f8a2825
    • Yunfeng Ye's avatar
      genirq: Prevent NULL pointer dereference in resend_irqs() · 991b3458
      Yunfeng Ye authored
      commit eddf3e9c upstream.
      
      The following crash was observed:
      
        Unable to handle kernel NULL pointer dereference at 0000000000000158
        Internal error: Oops: 96000004 [#1] SMP
        pc : resend_irqs+0x68/0xb0
        lr : resend_irqs+0x64/0xb0
        ...
        Call trace:
         resend_irqs+0x68/0xb0
         tasklet_action_common.isra.6+0x84/0x138
         tasklet_action+0x2c/0x38
         __do_softirq+0x120/0x324
         run_ksoftirqd+0x44/0x60
         smpboot_thread_fn+0x1ac/0x1e8
         kthread+0x134/0x138
         ret_from_fork+0x10/0x18
      
      The reason for this is that the interrupt resend mechanism happens in soft
      interrupt context, which is a asynchronous mechanism versus other
      operations on interrupts. free_irq() does not take resend handling into
      account. Thus, the irq descriptor might be already freed before the resend
      tasklet is executed. resend_irqs() does not check the return value of the
      interrupt descriptor lookup and derefences the return value
      unconditionally.
      
        1):
        __setup_irq
          irq_startup
            check_irq_resend  // activate softirq to handle resend irq
        2):
        irq_domain_free_irqs
          irq_free_descs
            free_desc
              call_rcu(&desc->rcu, delayed_free_desc)
        3):
        __do_softirq
          tasklet_action
            resend_irqs
              desc = irq_to_desc(irq)
              desc->handle_irq(desc)  // desc is NULL --> Ooops
      
      Fix this by adding a NULL pointer check in resend_irqs() before derefencing
      the irq descriptor.
      
      Fixes: a4633adc ("[PATCH] genirq: add genirq sw IRQ-retrigger")
      Signed-off-by: default avatarYunfeng Ye <yeyunfeng@huawei.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Reviewed-by: default avatarZhiqiang Liu <liuzhiqiang26@huawei.com>
      Cc: stable@vger.kernel.org
      Link: https://lkml.kernel.org/r/1630ae13-5c8e-901e-de09-e740b6a426a7@huawei.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      991b3458
    • Alexander Duyck's avatar
      ixgbe: Prevent u8 wrapping of ITR value to something less than 10us · 5b5f1460
      Alexander Duyck authored
      commit 377228ac upstream.
      
      There were a couple cases where the ITR value generated via the adaptive
      ITR scheme could exceed 126. This resulted in the value becoming either 0
      or something less than 10. Switching back and forth between a value less
      than 10 and a value greater than 10 can cause issues as certain hardware
      features such as RSC to not function well when the ITR value has dropped
      that low.
      
      CC: stable@vger.kernel.org
      Fixes: b4ded832 ("ixgbe: Update adaptive ITR algorithm")
      Reported-by: default avatarGregg Leventhal <gleventhal@janestreet.com>
      Signed-off-by: default avatarAlexander Duyck <alexander.h.duyck@linux.intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5b5f1460
    • Filipe Manana's avatar
      Btrfs: fix assertion failure during fsync and use of stale transaction · 7cbd49cf
      Filipe Manana authored
      commit 410f954c upstream.
      
      Sometimes when fsync'ing a file we need to log that other inodes exist and
      when we need to do that we acquire a reference on the inodes and then drop
      that reference using iput() after logging them.
      
      That generally is not a problem except if we end up doing the final iput()
      (dropping the last reference) on the inode and that inode has a link count
      of 0, which can happen in a very short time window if the logging path
      gets a reference on the inode while it's being unlinked.
      
      In that case we end up getting the eviction callback, btrfs_evict_inode(),
      invoked through the iput() call chain which needs to drop all of the
      inode's items from its subvolume btree, and in order to do that, it needs
      to join a transaction at the helper function evict_refill_and_join().
      However because the task previously started a transaction at the fsync
      handler, btrfs_sync_file(), it has current->journal_info already pointing
      to a transaction handle and therefore evict_refill_and_join() will get
      that transaction handle from btrfs_join_transaction(). From this point on,
      two different problems can happen:
      
      1) evict_refill_and_join() will often change the transaction handle's
         block reserve (->block_rsv) and set its ->bytes_reserved field to a
         value greater than 0. If evict_refill_and_join() never commits the
         transaction, the eviction handler ends up decreasing the reference
         count (->use_count) of the transaction handle through the call to
         btrfs_end_transaction(), and after that point we have a transaction
         handle with a NULL ->block_rsv (which is the value prior to the
         transaction join from evict_refill_and_join()) and a ->bytes_reserved
         value greater than 0. If after the eviction/iput completes the inode
         logging path hits an error or it decides that it must fallback to a
         transaction commit, the btrfs fsync handle, btrfs_sync_file(), gets a
         non-zero value from btrfs_log_dentry_safe(), and because of that
         non-zero value it tries to commit the transaction using a handle with
         a NULL ->block_rsv and a non-zero ->bytes_reserved value. This makes
         the transaction commit hit an assertion failure at
         btrfs_trans_release_metadata() because ->bytes_reserved is not zero but
         the ->block_rsv is NULL. The produced stack trace for that is like the
         following:
      
         [192922.917158] assertion failed: !trans->bytes_reserved, file: fs/btrfs/transaction.c, line: 816
         [192922.917553] ------------[ cut here ]------------
         [192922.917922] kernel BUG at fs/btrfs/ctree.h:3532!
         [192922.918310] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC PTI
         [192922.918666] CPU: 2 PID: 883 Comm: fsstress Tainted: G        W         5.1.4-btrfs-next-47 #1
         [192922.919035] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014
         [192922.919801] RIP: 0010:assfail.constprop.25+0x18/0x1a [btrfs]
         (...)
         [192922.920925] RSP: 0018:ffffaebdc8a27da8 EFLAGS: 00010286
         [192922.921315] RAX: 0000000000000051 RBX: ffff95c9c16a41c0 RCX: 0000000000000000
         [192922.921692] RDX: 0000000000000000 RSI: ffff95cab6b16838 RDI: ffff95cab6b16838
         [192922.922066] RBP: ffff95c9c16a41c0 R08: 0000000000000000 R09: 0000000000000000
         [192922.922442] R10: ffffaebdc8a27e70 R11: 0000000000000000 R12: ffff95ca731a0980
         [192922.922820] R13: 0000000000000000 R14: ffff95ca84c73338 R15: ffff95ca731a0ea8
         [192922.923200] FS:  00007f337eda4e80(0000) GS:ffff95cab6b00000(0000) knlGS:0000000000000000
         [192922.923579] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
         [192922.923948] CR2: 00007f337edad000 CR3: 00000001e00f6002 CR4: 00000000003606e0
         [192922.924329] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
         [192922.924711] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
         [192922.925105] Call Trace:
         [192922.925505]  btrfs_trans_release_metadata+0x10c/0x170 [btrfs]
         [192922.925911]  btrfs_commit_transaction+0x3e/0xaf0 [btrfs]
         [192922.926324]  btrfs_sync_file+0x44c/0x490 [btrfs]
         [192922.926731]  do_fsync+0x38/0x60
         [192922.927138]  __x64_sys_fdatasync+0x13/0x20
         [192922.927543]  do_syscall_64+0x60/0x1c0
         [192922.927939]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
         (...)
         [192922.934077] ---[ end trace f00808b12068168f ]---
      
      2) If evict_refill_and_join() decides to commit the transaction, it will
         be able to do it, since the nested transaction join only increments the
         transaction handle's ->use_count reference counter and it does not
         prevent the transaction from getting committed. This means that after
         eviction completes, the fsync logging path will be using a transaction
         handle that refers to an already committed transaction. What happens
         when using such a stale transaction can be unpredictable, we are at
         least having a use-after-free on the transaction handle itself, since
         the transaction commit will call kmem_cache_free() against the handle
         regardless of its ->use_count value, or we can end up silently losing
         all the updates to the log tree after that iput() in the logging path,
         or using a transaction handle that in the meanwhile was allocated to
         another task for a new transaction, etc, pretty much unpredictable
         what can happen.
      
      In order to fix both of them, instead of using iput() during logging, use
      btrfs_add_delayed_iput(), so that the logging path of fsync never drops
      the last reference on an inode, that step is offloaded to a safe context
      (usually the cleaner kthread).
      
      The assertion failure issue was sporadically triggered by the test case
      generic/475 from fstests, which loads the dm error target while fsstress
      is running, which lead to fsync failing while logging inodes with -EIO
      errors and then trying later to commit the transaction, triggering the
      assertion failure.
      
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: default avatarJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7cbd49cf
    • Kent Gibson's avatar
      gpio: fix line flag validation in linehandle_create · 22ed1d47
      Kent Gibson authored
      commit e95fbc13 upstream.
      
      linehandle_create should not allow both GPIOHANDLE_REQUEST_INPUT
      and GPIOHANDLE_REQUEST_OUTPUT to be set.
      
      Fixes: d7c51b47 ("gpio: userspace ABI for reading/writing GPIO lines")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarKent Gibson <warthog618@gmail.com>
      Signed-off-by: default avatarBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      22ed1d47
    • Hans de Goede's avatar
      gpiolib: acpi: Add gpiolib_acpi_run_edge_events_on_boot option and blacklist · 705df757
      Hans de Goede authored
      commit 61f7f7c8 upstream.
      
      Another day; another DSDT bug we need to workaround...
      
      Since commit ca876c74 ("gpiolib-acpi: make sure we trigger edge events
      at least once on boot") we call _AEI edge handlers at boot.
      
      In some rare cases this causes problems. One example of this is the Minix
      Neo Z83-4 mini PC, this device has a clear DSDT bug where it has some copy
      and pasted code for dealing with Micro USB-B connector host/device role
      switching, while the mini PC does not even have a micro-USB connector.
      This code, which should not be there, messes with the DDC data pin from
      the HDMI connector (switching it to GPIO mode) breaking HDMI support.
      
      To avoid problems like this, this commit adds a new
      gpiolib_acpi.run_edge_events_on_boot kernel commandline option, which
      allows disabling the running of _AEI edge event handlers at boot.
      
      The default value is -1/auto which uses a DMI based blacklist, the initial
      version of this blacklist contains the Neo Z83-4 fixing the HDMI breakage.
      
      Cc: stable@vger.kernel.org
      Cc: Daniel Drake <drake@endlessm.com>
      Cc: Ian W MORRISON <ianwmorrison@gmail.com>
      Reported-by: default avatarIan W MORRISON <ianwmorrison@gmail.com>
      Suggested-by: default avatarIan W MORRISON <ianwmorrison@gmail.com>
      Fixes: ca876c74 ("gpiolib-acpi: make sure we trigger edge events at least once on boot")
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Link: https://lore.kernel.org/r/20190827202835.213456-1-hdegoede@redhat.comAcked-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Tested-by: default avatarIan W MORRISON <ianwmorrison@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      705df757
    • Yang Yingliang's avatar
      tun: fix use-after-free when register netdev failed · 0f4ceb25
      Yang Yingliang authored
      [ Upstream commit 77f22f92 ]
      
      I got a UAF repport in tun driver when doing fuzzy test:
      
      [  466.269490] ==================================================================
      [  466.271792] BUG: KASAN: use-after-free in tun_chr_read_iter+0x2ca/0x2d0
      [  466.271806] Read of size 8 at addr ffff888372139250 by task tun-test/2699
      [  466.271810]
      [  466.271824] CPU: 1 PID: 2699 Comm: tun-test Not tainted 5.3.0-rc1-00001-g5a9433db2614-dirty #427
      [  466.271833] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      [  466.271838] Call Trace:
      [  466.271858]  dump_stack+0xca/0x13e
      [  466.271871]  ? tun_chr_read_iter+0x2ca/0x2d0
      [  466.271890]  print_address_description+0x79/0x440
      [  466.271906]  ? vprintk_func+0x5e/0xf0
      [  466.271920]  ? tun_chr_read_iter+0x2ca/0x2d0
      [  466.271935]  __kasan_report+0x15c/0x1df
      [  466.271958]  ? tun_chr_read_iter+0x2ca/0x2d0
      [  466.271976]  kasan_report+0xe/0x20
      [  466.271987]  tun_chr_read_iter+0x2ca/0x2d0
      [  466.272013]  do_iter_readv_writev+0x4b7/0x740
      [  466.272032]  ? default_llseek+0x2d0/0x2d0
      [  466.272072]  do_iter_read+0x1c5/0x5e0
      [  466.272110]  vfs_readv+0x108/0x180
      [  466.299007]  ? compat_rw_copy_check_uvector+0x440/0x440
      [  466.299020]  ? fsnotify+0x888/0xd50
      [  466.299040]  ? __fsnotify_parent+0xd0/0x350
      [  466.299064]  ? fsnotify_first_mark+0x1e0/0x1e0
      [  466.304548]  ? vfs_write+0x264/0x510
      [  466.304569]  ? ksys_write+0x101/0x210
      [  466.304591]  ? do_preadv+0x116/0x1a0
      [  466.304609]  do_preadv+0x116/0x1a0
      [  466.309829]  do_syscall_64+0xc8/0x600
      [  466.309849]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  466.309861] RIP: 0033:0x4560f9
      [  466.309875] Code: 00 00 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      [  466.309889] RSP: 002b:00007ffffa5166e8 EFLAGS: 00000206 ORIG_RAX: 0000000000000127
      [  466.322992] RAX: ffffffffffffffda RBX: 0000000000400460 RCX: 00000000004560f9
      [  466.322999] RDX: 0000000000000003 RSI: 00000000200008c0 RDI: 0000000000000003
      [  466.323007] RBP: 00007ffffa516700 R08: 0000000000000004 R09: 0000000000000000
      [  466.323014] R10: 0000000000000000 R11: 0000000000000206 R12: 000000000040cb10
      [  466.323021] R13: 0000000000000000 R14: 00000000006d7018 R15: 0000000000000000
      [  466.323057]
      [  466.323064] Allocated by task 2605:
      [  466.335165]  save_stack+0x19/0x80
      [  466.336240]  __kasan_kmalloc.constprop.8+0xa0/0xd0
      [  466.337755]  kmem_cache_alloc+0xe8/0x320
      [  466.339050]  getname_flags+0xca/0x560
      [  466.340229]  user_path_at_empty+0x2c/0x50
      [  466.341508]  vfs_statx+0xe6/0x190
      [  466.342619]  __do_sys_newstat+0x81/0x100
      [  466.343908]  do_syscall_64+0xc8/0x600
      [  466.345303]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  466.347034]
      [  466.347517] Freed by task 2605:
      [  466.348471]  save_stack+0x19/0x80
      [  466.349476]  __kasan_slab_free+0x12e/0x180
      [  466.350726]  kmem_cache_free+0xc8/0x430
      [  466.351874]  putname+0xe2/0x120
      [  466.352921]  filename_lookup+0x257/0x3e0
      [  466.354319]  vfs_statx+0xe6/0x190
      [  466.355498]  __do_sys_newstat+0x81/0x100
      [  466.356889]  do_syscall_64+0xc8/0x600
      [  466.358037]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
      [  466.359567]
      [  466.360050] The buggy address belongs to the object at ffff888372139100
      [  466.360050]  which belongs to the cache names_cache of size 4096
      [  466.363735] The buggy address is located 336 bytes inside of
      [  466.363735]  4096-byte region [ffff888372139100, ffff88837213a100)
      [  466.367179] The buggy address belongs to the page:
      [  466.368604] page:ffffea000dc84e00 refcount:1 mapcount:0 mapping:ffff8883df1b4f00 index:0x0 compound_mapcount: 0
      [  466.371582] flags: 0x2fffff80010200(slab|head)
      [  466.372910] raw: 002fffff80010200 dead000000000100 dead000000000122 ffff8883df1b4f00
      [  466.375209] raw: 0000000000000000 0000000000070007 00000001ffffffff 0000000000000000
      [  466.377778] page dumped because: kasan: bad access detected
      [  466.379730]
      [  466.380288] Memory state around the buggy address:
      [  466.381844]  ffff888372139100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  466.384009]  ffff888372139180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  466.386131] >ffff888372139200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  466.388257]                                                  ^
      [  466.390234]  ffff888372139280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  466.392512]  ffff888372139300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  466.394667] ==================================================================
      
      tun_chr_read_iter() accessed the memory which freed by free_netdev()
      called by tun_set_iff():
      
              CPUA                                           CPUB
        tun_set_iff()
          alloc_netdev_mqs()
          tun_attach()
                                                        tun_chr_read_iter()
                                                          tun_get()
                                                          tun_do_read()
                                                            tun_ring_recv()
          register_netdevice() <-- inject error
          goto err_detach
          tun_detach_all() <-- set RCV_SHUTDOWN
          free_netdev() <-- called from
                           err_free_dev path
            netdev_freemem() <-- free the memory
                              without check refcount
            (In this path, the refcount cannot prevent
             freeing the memory of dev, and the memory
             will be used by dev_put() called by
             tun_chr_read_iter() on CPUB.)
                                                           (Break from tun_ring_recv(),
                                                           because RCV_SHUTDOWN is set)
                                                         tun_put()
                                                           dev_put() <-- use the memory
                                                                         freed by netdev_freemem()
      
      Put the publishing of tfile->tun after register_netdevice(),
      so tun_get() won't get the tun pointer that freed by
      err_detach path if register_netdevice() failed.
      
      Fixes: eb0fb363 ("tuntap: attach queue 0 before registering netdevice")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Suggested-by: default avatarJason Wang <jasowang@redhat.com>
      Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0f4ceb25
    • Xin Long's avatar
      tipc: add NULL pointer check before calling kfree_rcu · 9a459842
      Xin Long authored
      [ Upstream commit 42dec1db ]
      
      Unlike kfree(p), kfree_rcu(p, rcu) won't do NULL pointer check. When
      tipc_nametbl_remove_publ returns NULL, the panic below happens:
      
         BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
         RIP: 0010:__call_rcu+0x1d/0x290
         Call Trace:
          <IRQ>
          tipc_publ_notify+0xa9/0x170 [tipc]
          tipc_node_write_unlock+0x8d/0x100 [tipc]
          tipc_node_link_down+0xae/0x1d0 [tipc]
          tipc_node_check_dest+0x3ea/0x8f0 [tipc]
          ? tipc_disc_rcv+0x2c7/0x430 [tipc]
          tipc_disc_rcv+0x2c7/0x430 [tipc]
          ? tipc_rcv+0x6bb/0xf20 [tipc]
          tipc_rcv+0x6bb/0xf20 [tipc]
          ? ip_route_input_slow+0x9cf/0xb10
          tipc_udp_recv+0x195/0x1e0 [tipc]
          ? tipc_udp_is_known_peer+0x80/0x80 [tipc]
          udp_queue_rcv_skb+0x180/0x460
          udp_unicast_rcv_skb.isra.56+0x75/0x90
          __udp4_lib_rcv+0x4ce/0xb90
          ip_local_deliver_finish+0x11c/0x210
          ip_local_deliver+0x6b/0xe0
          ? ip_rcv_finish+0xa9/0x410
          ip_rcv+0x273/0x362
      
      Fixes: 97ede29e ("tipc: convert name table read-write lock to RCU")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a459842