1. 02 May, 2019 23 commits
    • YueHaibing's avatar
      fs/proc/proc_sysctl.c: Fix a NULL pointer dereference · 9f3a14be
      YueHaibing authored
      commit 89189557 upstream.
      
      Syzkaller report this:
      
        sysctl could not get directory: /net//bridge -12
        kasan: CONFIG_KASAN_INLINE enabled
        kasan: GPF could be caused by NULL-ptr deref or user memory access
        general protection fault: 0000 [#1] SMP KASAN PTI
        CPU: 1 PID: 7027 Comm: syz-executor.0 Tainted: G         C        5.1.0-rc3+ #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
        RIP: 0010:__write_once_size include/linux/compiler.h:220 [inline]
        RIP: 0010:__rb_change_child include/linux/rbtree_augmented.h:144 [inline]
        RIP: 0010:__rb_erase_augmented include/linux/rbtree_augmented.h:186 [inline]
        RIP: 0010:rb_erase+0x5f4/0x19f0 lib/rbtree.c:459
        Code: 00 0f 85 60 13 00 00 48 89 1a 48 83 c4 18 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 0c 00 00 4d 85 ed 4c 89 2e 74 ce 4c 89 ea 48
        RSP: 0018:ffff8881bb507778 EFLAGS: 00010206
        RAX: dffffc0000000000 RBX: ffff8881f224b5b8 RCX: ffffffff818f3f6a
        RDX: 000000000000000a RSI: 0000000000000050 RDI: ffff8881f224b568
        RBP: 0000000000000000 R08: ffffed10376a0ef4 R09: ffffed10376a0ef4
        R10: 0000000000000001 R11: ffffed10376a0ef4 R12: ffff8881f224b558
        R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
        FS:  00007f3e7ce13700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 00007fd60fbe9398 CR3: 00000001cb55c001 CR4: 00000000007606e0
        DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
        DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
        PKRU: 55555554
        Call Trace:
         erase_entry fs/proc/proc_sysctl.c:178 [inline]
         erase_header+0xe3/0x160 fs/proc/proc_sysctl.c:207
         start_unregistering fs/proc/proc_sysctl.c:331 [inline]
         drop_sysctl_table+0x558/0x880 fs/proc/proc_sysctl.c:1631
         get_subdir fs/proc/proc_sysctl.c:1022 [inline]
         __register_sysctl_table+0xd65/0x1090 fs/proc/proc_sysctl.c:1335
         br_netfilter_init+0x68/0x1000 [br_netfilter]
         do_one_initcall+0xbc/0x47d init/main.c:901
         do_init_module+0x1b5/0x547 kernel/module.c:3456
         load_module+0x6405/0x8c10 kernel/module.c:3804
         __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
         do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        Modules linked in: br_netfilter(+) backlight comedi(C) hid_sensor_hub max3100 ti_ads8688 udc_core fddi snd_mona leds_gpio rc_streamzap mtd pata_netcell nf_log_common rc_winfast udp_tunnel snd_usbmidi_lib snd_usb_toneport snd_usb_line6 snd_rawmidi snd_seq_device snd_hwdep videobuf2_v4l2 videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops rc_gadmei_rm008z 8250_of smm665 hid_tmff hid_saitek hwmon_vid rc_ati_tv_wonder_hd_600 rc_core pata_pdc202xx_old dn_rtmsg as3722 ad714x_i2c ad714x snd_soc_cs4265 hid_kensington panel_ilitek_ili9322 drm drm_panel_orientation_quirks ipack cdc_phonet usbcore phonet hid_jabra hid extcon_arizona can_dev industrialio_triggered_buffer kfifo_buf industrialio adm1031 i2c_mux_ltc4306 i2c_mux ipmi_msghandler mlxsw_core snd_soc_cs35l34 snd_soc_core snd_pcm_dmaengine snd_pcm snd_timer ac97_bus snd_compress snd soundcore gpio_da9055 uio ecdh_generic mdio_thunder of_mdio fixed_phy libphy mdio_cavium iptable_security iptable_raw iptable_mangle
         iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev tpm kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel ide_pci_generic piix aes_x86_64 crypto_simd cryptd ide_core glue_helper input_leds psmouse intel_agp intel_gtt serio_raw ata_generic i2c_piix4 agpgart pata_acpi parport_pc parport floppy rtc_cmos sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: br_netfilter]
        Dumping ftrace buffer:
           (ftrace buffer empty)
        ---[ end trace 68741688d5fbfe85 ]---
      
      commit 23da9588 ("fs/proc/proc_sysctl.c: fix NULL pointer
      dereference in put_links") forgot to handle start_unregistering() case,
      while header->parent is NULL, it calls erase_header() and as seen in the
      above syzkaller call trace, accessing &header->parent->root will trigger
      a NULL pointer dereference.
      
      As that commit explained, there is also no need to call
      start_unregistering() if header->parent is NULL.
      
      Link: http://lkml.kernel.org/r/20190409153622.28112-1-yuehaibing@huawei.com
      Fixes: 23da9588 ("fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links")
      Fixes: 0e47c99d ("sysctl: Replace root_list with links between sysctl_table_sets")
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Reviewed-by: default avatarKees Cook <keescook@chromium.org>
      Cc: Luis Chamberlain <mcgrof@kernel.org>
      Cc: Alexey Dobriyan <adobriyan@gmail.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: "Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9f3a14be
    • Alexander Shishkin's avatar
      intel_th: gth: Fix an off-by-one in output unassigning · 91cc4610
      Alexander Shishkin authored
      commit 91d3f8a6 upstream.
      
      Commit 9ed3f222 ("intel_th: Don't reference unassigned outputs")
      fixes a NULL dereference for all masters except the last one ("256+"),
      which keeps the stale pointer after the output driver had been unassigned.
      
      Fix the off-by-one.
      Signed-off-by: default avatarAlexander Shishkin <alexander.shishkin@linux.intel.com>
      Fixes: 9ed3f222 ("intel_th: Don't reference unassigned outputs")
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      91cc4610
    • Linus Torvalds's avatar
      slip: make slhc_free() silently accept an error pointer · d442c82a
      Linus Torvalds authored
      commit baf76f0c upstream.
      
      This way, slhc_free() accepts what slhc_init() returns, whether that is
      an error or not.
      
      In particular, the pattern in sl_alloc_bufs() is
      
              slcomp = slhc_init(16, 16);
              ...
              slhc_free(slcomp);
      
      for the error handling path, and rather than complicate that code, just
      make it ok to always free what was returned by the init function.
      
      That's what the code used to do before commit 4ab42d78 ("ppp, slip:
      Validate VJ compression slot parameters completely") when slhc_init()
      just returned NULL for the error case, with no actual indication of the
      details of the error.
      
      Reported-by: syzbot+45474c076a4927533d2e@syzkaller.appspotmail.com
      Fixes: 4ab42d78 ("ppp, slip: Validate VJ compression slot parameters completely")
      Acked-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d442c82a
    • Xin Long's avatar
      tipc: handle the err returned from cmd header function · d2618e32
      Xin Long authored
      commit 2ac695d1 upstream.
      
      Syzbot found a crash:
      
        BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
        Call Trace:
          tipc_nl_compat_name_table_dump+0x54f/0xcd0 net/tipc/netlink_compat.c:872
          __tipc_nl_compat_dumpit+0x59e/0xda0 net/tipc/netlink_compat.c:215
          tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:280
          tipc_nl_compat_handle net/tipc/netlink_compat.c:1226 [inline]
          tipc_nl_compat_recv+0x1b5f/0x2750 net/tipc/netlink_compat.c:1265
          genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
          genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
          netlink_rcv_skb+0x431/0x620 net/netlink/af_netlink.c:2477
          genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
          netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
          netlink_unicast+0xf3e/0x1020 net/netlink/af_netlink.c:1336
          netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
          sock_sendmsg_nosec net/socket.c:622 [inline]
          sock_sendmsg net/socket.c:632 [inline]
      
        Uninit was created at:
          __alloc_skb+0x309/0xa20 net/core/skbuff.c:208
          alloc_skb include/linux/skbuff.h:1012 [inline]
          netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
          netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
          sock_sendmsg_nosec net/socket.c:622 [inline]
          sock_sendmsg net/socket.c:632 [inline]
      
      It was supposed to be fixed on commit 974cb0e3 ("tipc: fix uninit-value
      in tipc_nl_compat_name_table_dump") by checking TLV_GET_DATA_LEN(msg->req)
      in cmd->header()/tipc_nl_compat_name_table_dump_header(), which is called
      ahead of tipc_nl_compat_name_table_dump().
      
      However, tipc_nl_compat_dumpit() doesn't handle the error returned from cmd
      header function. It means even when the check added in that fix fails, it
      won't stop calling tipc_nl_compat_name_table_dump(), and the issue will be
      triggered again.
      
      So this patch is to add the process for the err returned from cmd header
      function in tipc_nl_compat_dumpit().
      
      Reported-by: syzbot+3ce8520484b0d4e260a5@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d2618e32
    • Adalbert Lazăr's avatar
      vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock · d280a9ba
      Adalbert Lazăr authored
      commit 4c404ce2 upstream.
      
      Previous to commit 22b5c0b6 ("vsock/virtio: fix kernel panic
      after device hot-unplug"), vsock_core_init() was called from
      virtio_vsock_probe(). Now, virtio_transport_reset_no_sock() can be called
      before vsock_core_init() has the chance to run.
      
      [Wed Feb 27 14:17:09 2019] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110
      [Wed Feb 27 14:17:09 2019] #PF error: [normal kernel read fault]
      [Wed Feb 27 14:17:09 2019] PGD 0 P4D 0
      [Wed Feb 27 14:17:09 2019] Oops: 0000 [#1] SMP PTI
      [Wed Feb 27 14:17:09 2019] CPU: 3 PID: 59 Comm: kworker/3:1 Not tainted 5.0.0-rc7-390-generic-hvi #390
      [Wed Feb 27 14:17:09 2019] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
      [Wed Feb 27 14:17:09 2019] Workqueue: virtio_vsock virtio_transport_rx_work [vmw_vsock_virtio_transport]
      [Wed Feb 27 14:17:09 2019] RIP: 0010:virtio_transport_reset_no_sock+0x8c/0xc0 [vmw_vsock_virtio_transport_common]
      [Wed Feb 27 14:17:09 2019] Code: 35 8b 4f 14 48 8b 57 08 31 f6 44 8b 4f 10 44 8b 07 48 8d 7d c8 e8 84 f8 ff ff 48 85 c0 48 89 c3 74 2a e8 f7 31 03 00 48 89 df <48> 8b 80 10 01 00 00 e8 68 fb 69 ed 48 8b 75 f0 65 48 33 34 25 28
      [Wed Feb 27 14:17:09 2019] RSP: 0018:ffffb42701ab7d40 EFLAGS: 00010282
      [Wed Feb 27 14:17:09 2019] RAX: 0000000000000000 RBX: ffff9d79637ee080 RCX: 0000000000000003
      [Wed Feb 27 14:17:09 2019] RDX: 0000000000000001 RSI: 0000000000000002 RDI: ffff9d79637ee080
      [Wed Feb 27 14:17:09 2019] RBP: ffffb42701ab7d78 R08: ffff9d796fae70e0 R09: ffff9d796f403500
      [Wed Feb 27 14:17:09 2019] R10: ffffb42701ab7d90 R11: 0000000000000000 R12: ffff9d7969d09240
      [Wed Feb 27 14:17:09 2019] R13: ffff9d79624e6840 R14: ffff9d7969d09318 R15: ffff9d796d48ff80
      [Wed Feb 27 14:17:09 2019] FS:  0000000000000000(0000) GS:ffff9d796fac0000(0000) knlGS:0000000000000000
      [Wed Feb 27 14:17:09 2019] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [Wed Feb 27 14:17:09 2019] CR2: 0000000000000110 CR3: 0000000427f22000 CR4: 00000000000006e0
      [Wed Feb 27 14:17:09 2019] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [Wed Feb 27 14:17:09 2019] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [Wed Feb 27 14:17:09 2019] Call Trace:
      [Wed Feb 27 14:17:09 2019]  virtio_transport_recv_pkt+0x63/0x820 [vmw_vsock_virtio_transport_common]
      [Wed Feb 27 14:17:09 2019]  ? kfree+0x17e/0x190
      [Wed Feb 27 14:17:09 2019]  ? detach_buf_split+0x145/0x160
      [Wed Feb 27 14:17:09 2019]  ? __switch_to_asm+0x40/0x70
      [Wed Feb 27 14:17:09 2019]  virtio_transport_rx_work+0xa0/0x106 [vmw_vsock_virtio_transport]
      [Wed Feb 27 14:17:09 2019] NET: Registered protocol family 40
      [Wed Feb 27 14:17:09 2019]  process_one_work+0x167/0x410
      [Wed Feb 27 14:17:09 2019]  worker_thread+0x4d/0x460
      [Wed Feb 27 14:17:09 2019]  kthread+0x105/0x140
      [Wed Feb 27 14:17:09 2019]  ? rescuer_thread+0x360/0x360
      [Wed Feb 27 14:17:09 2019]  ? kthread_destroy_worker+0x50/0x50
      [Wed Feb 27 14:17:09 2019]  ret_from_fork+0x35/0x40
      [Wed Feb 27 14:17:09 2019] Modules linked in: vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common input_leds vsock serio_raw i2c_piix4 mac_hid qemu_fw_cfg autofs4 cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse drm net_failover pata_acpi virtio_blk failover floppy
      
      Fixes: 22b5c0b6 ("vsock/virtio: fix kernel panic after device hot-unplug")
      Reported-by: default avatarAlexandru Herghelegiu <aherghelegiu@bitdefender.com>
      Signed-off-by: default avatarAdalbert Lazăr <alazar@bitdefender.com>
      Co-developed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Reviewed-by: default avatarStefan Hajnoczi <stefanha@redhat.com>
      Reviewed-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d280a9ba
    • Kai-Heng Feng's avatar
      USB: Consolidate LPM checks to avoid enabling LPM twice · 9b916afc
      Kai-Heng Feng authored
      commit d7a6c0ce upstream.
      
      USB Bluetooth controller QCA ROME (0cf3:e007) sometimes stops working
      after S3:
      [ 165.110742] Bluetooth: hci0: using NVM file: qca/nvm_usb_00000302.bin
      [ 168.432065] Bluetooth: hci0: Failed to send body at 4 of 1953 (-110)
      
      After some experiments, I found that disabling LPM can workaround the
      issue.
      
      On some platforms, the USB power is cut during S3, so the driver uses
      reset-resume to resume the device. During port resume, LPM gets enabled
      twice, by usb_reset_and_verify_device() and usb_port_resume().
      
      Consolidate all checks into new LPM helpers to make sure LPM only gets
      enabled once.
      
      Fixes: de68bab4 ("usb: Don't enable USB 2.0 Link PM by default.”)
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Cc: stable <stable@vger.kernel.org> # after much soaking
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9b916afc
    • Kai-Heng Feng's avatar
      USB: Add new USB LPM helpers · c73982bb
      Kai-Heng Feng authored
      commit 7529b257 upstream.
      
      Use new helpers to make LPM enabling/disabling more clear.
      
      This is a preparation to subsequent patch.
      Signed-off-by: default avatarKai-Heng Feng <kai.heng.feng@canonical.com>
      Cc: stable <stable@vger.kernel.org> # after much soaking
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c73982bb
    • Maarten Lankhorst's avatar
      drm/vc4: Fix compilation error reported by kbuild test bot · ff0d081f
      Maarten Lankhorst authored
      commit 462ce5d9 upstream.
      
      A pointer to crtc was missing, resulting in the following build error:
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse: sparse: incorrect type in argument 1 (different base types)
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse:    expected struct drm_crtc *crtc
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse:    got struct drm_crtc_state *state
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:39: sparse: sparse: not enough arguments for function vc4_crtc_destroy_state
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Cc: Eric Anholt <eric@anholt.net>
      Link: https://patchwork.freedesktop.org/patch/msgid/2b6ed5e6-81b0-4276-8860-870b54ca3262@linux.intel.com
      Fixes: d0810679 ("drm/vc4: Fix memory leak during gpu reset.")
      Cc: <stable@vger.kernel.org> # v4.6+
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ff0d081f
    • Maarten Lankhorst's avatar
      drm/vc4: Fix memory leak during gpu reset. · 420f8c09
      Maarten Lankhorst authored
      commit d0810679 upstream.
      
      __drm_atomic_helper_crtc_destroy_state does not free memory, it only
      cleans it up. Fix this by calling the functions own destroy function.
      
      Fixes: 6d6e5003 ("drm/vc4: Allocate the right amount of space for boot-time CRTC state.")
      Cc: Eric Anholt <eric@anholt.net>
      Cc: <stable@vger.kernel.org> # v4.6+
      Reviewed-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190301125627.7285-2-maarten.lankhorst@linux.intel.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      420f8c09
    • Ard Biesheuvel's avatar
      ARM: 8857/1: efi: enable CP15 DMB instructions before cleaning the cache · 2732382a
      Ard Biesheuvel authored
      commit e17b1af9 upstream.
      
      The EFI stub is entered with the caches and MMU enabled by the
      firmware, and once the stub is ready to hand over to the decompressor,
      we clean and disable the caches.
      
      The cache clean routines use CP15 barrier instructions, which can be
      disabled via SCTLR. Normally, when using the provided cache handling
      routines to enable the caches and MMU, this bit is enabled as well.
      However, but since we entered the stub with the caches already enabled,
      this routine is not executed before we call the cache clean routines,
      resulting in undefined instruction exceptions if the firmware never
      enabled this bit.
      
      So set the bit explicitly in the EFI entry code, but do so in a way that
      guarantees that the resulting code can still run on v6 cores as well
      (which are guaranteed to have CP15 barriers enabled)
      
      Cc: <stable@vger.kernel.org> # v4.9+
      Acked-by: default avatarMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2732382a
    • Dirk Behme's avatar
      dmaengine: sh: rcar-dmac: With cyclic DMA residue 0 is valid · 2996669f
      Dirk Behme authored
      commit 907bd68a upstream.
      
      Having a cyclic DMA, a residue 0 is not an indication of a completed
      DMA. In case of cyclic DMA make sure that dma_set_residue() is called
      and with this a residue of 0 is forwarded correctly to the caller.
      
      Fixes: 3544d287 ("dmaengine: rcar-dmac: use result of updated get_residue in tx_status")
      Signed-off-by: default avatarDirk Behme <dirk.behme@de.bosch.com>
      Signed-off-by: default avatarAchim Dahlhoff <Achim.Dahlhoff@de.bosch.com>
      Signed-off-by: default avatarHiroyuki Yokoyama <hiroyuki.yokoyama.vx@renesas.com>
      Signed-off-by: default avatarYao Lihua <ylhuajnu@outlook.com>
      Reviewed-by: default avatarYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Cc: <stable@vger.kernel.org> # v4.8+
      Signed-off-by: default avatarVinod Koul <vkoul@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2996669f
    • Lucas Stach's avatar
      Input: synaptics-rmi4 - write config register values to the right offset · a4a0e6b3
      Lucas Stach authored
      commit 3a349763 upstream.
      
      Currently any changed config register values don't take effect, as the
      function to write them back is called with the wrong register offset.
      
      Fixes: ff8f8370 (Input: synaptics-rmi4 - add support for 2D
                           sensors and F11)
      Signed-off-by: default avatarLucas Stach <l.stach@pengutronix.de>
      Reviewed-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4a0e6b3
    • NeilBrown's avatar
      sunrpc: don't mark uninitialised items as VALID. · 9bae0c05
      NeilBrown authored
      commit d58431ea upstream.
      
      A recent commit added a call to cache_fresh_locked()
      when an expired item was found.
      The call sets the CACHE_VALID flag, so it is important
      that the item actually is valid.
      There are two ways it could be valid:
      1/ If ->update has been called to fill in relevant content
      2/ if CACHE_NEGATIVE is set, to say that content doesn't exist.
      
      An expired item that is waiting for an update will be neither.
      Setting CACHE_VALID will mean that a subsequent call to cache_put()
      will be likely to dereference uninitialised pointers.
      
      So we must make sure the item is valid, and we already have code to do
      that in try_to_negate_entry().  This takes the hash lock and so cannot
      be used directly, so take out the two lines that we need and use them.
      
      Now cache_fresh_locked() is certain to be called only on
      a valid item.
      
      Cc: stable@kernel.org # 2.6.35
      Fixes: 4ecd55ea ("sunrpc: fix cache_head leak due to queued request")
      Signed-off-by: default avatarNeilBrown <neilb@suse.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9bae0c05
    • Trond Myklebust's avatar
      nfsd: Don't release the callback slot unless it was actually held · 28154b86
      Trond Myklebust authored
      commit e6abc8ca upstream.
      
      If there are multiple callbacks queued, waiting for the callback
      slot when the callback gets shut down, then they all currently
      end up acting as if they hold the slot, and call
      nfsd4_cb_sequence_done() resulting in interesting side-effects.
      
      In addition, the 'retry_nowait' path in nfsd4_cb_sequence_done()
      causes a loop back to nfsd4_cb_prepare() without first freeing the
      slot, which causes a deadlock when nfsd41_cb_get_slot() gets called
      a second time.
      
      This patch therefore adds a boolean to track whether or not the
      callback did pick up the slot, so that it can do the right thing
      in these 2 cases.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28154b86
    • Yan, Zheng's avatar
      ceph: fix ci->i_head_snapc leak · 99055c03
      Yan, Zheng authored
      commit 37659182 upstream.
      
      We missed two places that i_wrbuffer_ref_head, i_wr_ref, i_dirty_caps
      and i_flushing_caps may change. When they are all zeros, we should free
      i_head_snapc.
      
      Cc: stable@vger.kernel.org
      Link: https://tracker.ceph.com/issues/38224Reported-and-tested-by: default avatarLuis Henriques <lhenriques@suse.com>
      Signed-off-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99055c03
    • Jeff Layton's avatar
      ceph: ensure d_name stability in ceph_dentry_hash() · a9adfd94
      Jeff Layton authored
      commit 76a495d6 upstream.
      
      Take the d_lock here to ensure that d_name doesn't change.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeff Layton <jlayton@kernel.org>
      Reviewed-by: default avatar"Yan, Zheng" <zyan@redhat.com>
      Signed-off-by: default avatarIlya Dryomov <idryomov@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9adfd94
    • Xie XiuQi's avatar
      sched/numa: Fix a possible divide-by-zero · c9e5f60b
      Xie XiuQi authored
      commit a860fa7b upstream.
      
      sched_clock_cpu() may not be consistent between CPUs. If a task
      migrates to another CPU, then se.exec_start is set to that CPU's
      rq_clock_task() by update_stats_curr_start(). Specifically, the new
      value might be before the old value due to clock skew.
      
      So then if in numa_get_avg_runtime() the expression:
      
        'now - p->last_task_numa_placement'
      
      ends up as -1, then the divider '*period + 1' in task_numa_placement()
      is 0 and things go bang. Similar to update_curr(), check if time goes
      backwards to avoid this.
      
      [ peterz: Wrote new changelog. ]
      [ mingo: Tweaked the code comment. ]
      Signed-off-by: default avatarXie XiuQi <xiexiuqi@huawei.com>
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: cj.chengjian@huawei.com
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/20190425080016.GX11158@hirez.programming.kicks-ass.netSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c9e5f60b
    • Josh Collier's avatar
      IB/rdmavt: Fix frwr memory registration · a51d5ec2
      Josh Collier authored
      commit 7c39f7f6 upstream.
      
      Current implementation was not properly handling frwr memory
      registrations. This was uncovered by commit 27f26cec761das ("xprtrdma:
      Plant XID in on-the-wire RDMA offset (FRWR)") in which xprtrdma, which is
      used for NFS over RDMA, started failing as it was the first ULP to modify
      the ib_mr iova resulting in the NFS server getting REMOTE ACCESS ERROR
      when attempting to perform RDMA Writes to the client.
      
      The fix is to properly capture the true iova, offset, and length in the
      call to ib_map_mr_sg, and then update the iova when processing the
      IB_WR_REG_MEM on the send queue.
      
      Fixes: a41081aa ("IB/rdmavt: Add support for ib_map_mr_sg")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Reviewed-by: default avatarMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: default avatarJosh Collier <josh.d.collier@intel.com>
      Signed-off-by: default avatarDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a51d5ec2
    • Peter Zijlstra's avatar
      trace: Fix preempt_enable_no_resched() abuse · 56f9da85
      Peter Zijlstra authored
      commit d6097c9e upstream.
      
      Unless the very next line is schedule(), or implies it, one must not use
      preempt_enable_no_resched(). It can cause a preemption to go missing and
      thereby cause arbitrary delays, breaking the PREEMPT=y invariant.
      
      Link: http://lkml.kernel.org/r/20190423200318.GY14281@hirez.programming.kicks-ass.net
      
      Cc: Waiman Long <longman@redhat.com>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Will Deacon <will.deacon@arm.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: the arch/x86 maintainers <x86@kernel.org>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: Tim Chen <tim.c.chen@linux.intel.com>
      Cc: huang ying <huang.ying.caritas@gmail.com>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Alexei Starovoitov <ast@kernel.org>
      Cc: Daniel Borkmann <daniel@iogearbox.net>
      Cc: stable@vger.kernel.org
      Fixes: 2c2d7329 ("tracing/ftrace: use preempt_enable_no_resched_notrace in ring_buffer_time_stamp()")
      Signed-off-by: default avatarPeter Zijlstra (Intel) <peterz@infradead.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56f9da85
    • Aurelien Jarno's avatar
      MIPS: scall64-o32: Fix indirect syscall number load · 078ffd64
      Aurelien Jarno authored
      commit 79b4a9cf upstream.
      
      Commit 4c21b8fd (MIPS: seccomp: Handle indirect system calls (o32))
      added indirect syscall detection for O32 processes running on MIPS64,
      but it did not work correctly for big endian kernel/processes. The
      reason is that the syscall number is loaded from ARG1 using the lw
      instruction while this is a 64-bit value, so zero is loaded instead of
      the syscall number.
      
      Fix the code by using the ld instruction instead. When running a 32-bit
      processes on a 64 bit CPU, the values are properly sign-extended, so it
      ensures the value passed to syscall_trace_enter is correct.
      
      Recent systemd versions with seccomp enabled whitelist the getpid
      syscall for their internal  processes (e.g. systemd-journald), but call
      it through syscall(SYS_getpid). This fix therefore allows O32 big endian
      systems with a 64-bit kernel to run recent systemd versions.
      Signed-off-by: default avatarAurelien Jarno <aurelien@aurel32.net>
      Cc: <stable@vger.kernel.org> # v3.15+
      Reviewed-by: default avatarPhilippe Mathieu-Daudé <f4bug@amsat.org>
      Signed-off-by: default avatarPaul Burton <paul.burton@mips.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      078ffd64
    • Wenwen Wang's avatar
      tracing: Fix a memory leak by early error exit in trace_pid_write() · 3ddc2993
      Wenwen Wang authored
      commit 91862cc7 upstream.
      
      In trace_pid_write(), the buffer for trace parser is allocated through
      kmalloc() in trace_parser_get_init(). Later on, after the buffer is used,
      it is then freed through kfree() in trace_parser_put(). However, it is
      possible that trace_pid_write() is terminated due to unexpected errors,
      e.g., ENOMEM. In that case, the allocated buffer will not be freed, which
      is a memory leak bug.
      
      To fix this issue, free the allocated buffer when an error is encountered.
      
      Link: http://lkml.kernel.org/r/1555726979-15633-1-git-send-email-wang6495@umn.edu
      
      Fixes: f4d34a87 ("tracing: Use pid bitmap instead of a pid array for set_event_pid")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarWenwen Wang <wang6495@umn.edu>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ddc2993
    • Frank Sorenson's avatar
      cifs: do not attempt cifs operation on smb2+ rename error · da502d34
      Frank Sorenson authored
      commit 652727bb upstream.
      
      A path-based rename returning EBUSY will incorrectly try opening
      the file with a cifs (NT Create AndX) operation on an smb2+ mount,
      which causes the server to force a session close.
      
      If the mount is smb2+, skip the fallback.
      Signed-off-by: default avatarFrank Sorenson <sorenson@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da502d34
    • Masahiro Yamada's avatar
      kbuild: simplify ld-option implementation · a4ccc9e5
      Masahiro Yamada authored
      commit 0294e6f4 upstream.
      
      Currently, linker options are tested by the coordination of $(CC) and
      $(LD) because $(LD) needs some object to link.
      
      As commit 86a9df59 ("kbuild: fix linker feature test macros when
      cross compiling with Clang") addressed, we need to make sure $(CC)
      and $(LD) agree the underlying architecture of the passed object.
      
      This could be a bit complex when we combine tools from different groups.
      For example, we can use clang for $(CC), but we still need to rely on
      GCC toolchain for $(LD).
      
      So, I was searching for a way of standalone testing of linker options.
      A trick I found is to use '-v'; this not only prints the version string,
      but also tests if the given option is recognized.
      
      If a given option is supported,
      
        $ aarch64-linux-gnu-ld -v --fix-cortex-a53-843419
        GNU ld (Linaro_Binutils-2017.11) 2.28.2.20170706
        $ echo $?
        0
      
      If unsupported,
      
        $ aarch64-linux-gnu-ld -v --fix-cortex-a53-843419
        GNU ld (crosstool-NG linaro-1.13.1-4.7-2013.04-20130415 - Linaro GCC 2013.04) 2.23.1
        aarch64-linux-gnu-ld: unrecognized option '--fix-cortex-a53-843419'
        aarch64-linux-gnu-ld: use the --help option for usage information
        $ echo $?
        1
      
      Gold works likewise.
      
        $ aarch64-linux-gnu-ld.gold -v --fix-cortex-a53-843419
        GNU gold (Linaro_Binutils-2017.11 2.28.2.20170706) 1.14
        masahiro@pug:~/ref/linux$ echo $?
        0
        $ aarch64-linux-gnu-ld.gold -v --fix-cortex-a53-999999
        GNU gold (Linaro_Binutils-2017.11 2.28.2.20170706) 1.14
        aarch64-linux-gnu-ld.gold: --fix-cortex-a53-999999: unknown option
        aarch64-linux-gnu-ld.gold: use the --help option for usage information
        $ echo $?
        1
      
      LLD too.
      
        $ ld.lld -v --gc-sections
        LLD 7.0.0 (http://llvm.org/git/lld.git 4a0e4190e74cea19f8a8dc625ccaebdf8b5d1585) (compatible with GNU linkers)
        $ echo $?
        0
        $ ld.lld -v --fix-cortex-a53-843419
        LLD 7.0.0 (http://llvm.org/git/lld.git 4a0e4190e74cea19f8a8dc625ccaebdf8b5d1585) (compatible with GNU linkers)
        $ echo $?
        0
        $ ld.lld -v --fix-cortex-a53-999999
        ld.lld: error: unknown argument: --fix-cortex-a53-999999
        LLD 7.0.0 (http://llvm.org/git/lld.git 4a0e4190e74cea19f8a8dc625ccaebdf8b5d1585) (compatible with GNU linkers)
        $ echo $?
        1
      Signed-off-by: default avatarMasahiro Yamada <yamada.masahiro@socionext.com>
      Tested-by: default avatarNick Desaulniers <ndesaulniers@google.com>
      [nc: try-run-cached was added later, just use try-run, which is the
           current mainline state]
      Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a4ccc9e5
  2. 27 Apr, 2019 17 commits