1. 09 Jul, 2020 19 commits
    • Misono Tomohiro's avatar
      hwmon: (acpi_power_meter) Fix potential memory leak in acpi_power_meter_add() · e210d910
      Misono Tomohiro authored
      [ Upstream commit 8b97f992 ]
      
      Although it rarely happens, we should call free_capabilities()
      if error happens after read_capabilities() to free allocated strings.
      
      Fixes: de584afa ("hwmon driver for ACPI 4.0 power meters")
      Signed-off-by: default avatarMisono Tomohiro <misono.tomohiro@jp.fujitsu.com>
      Link: https://lore.kernel.org/r/20200625043242.31175-1-misono.tomohiro@jp.fujitsu.comSigned-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e210d910
    • Chu Lin's avatar
      hwmon: (max6697) Make sure the OVERT mask is set correctly · cbec0023
      Chu Lin authored
      [ Upstream commit 016983d1 ]
      
      Per the datasheet for max6697, OVERT mask and ALERT mask are different.
      For example, the 7th bit of OVERT is the local channel but for alert
      mask, the 6th bit is the local channel. Therefore, we can't apply the
      same mask for both registers. In addition to that, the max6697 driver
      is supposed to be compatibale with different models. I manually went over
      all the listed chips and made sure all chip types have the same layout.
      
      Testing;
          mask value of 0x9 should map to 0x44 for ALERT and 0x84 for OVERT.
          I used iotool to read the reg value back to verify. I only tested this
          change on max6581.
      
      Reference:
      https://datasheets.maximintegrated.com/en/ds/MAX6581.pdf
      https://datasheets.maximintegrated.com/en/ds/MAX6697.pdf
      https://datasheets.maximintegrated.com/en/ds/MAX6699.pdfSigned-off-by: default avatarChu Lin <linchuyuan@google.com>
      Fixes: 5372d2d7 ("hwmon: Driver for Maxim MAX6697 and compatibles")
      Signed-off-by: default avatarGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      cbec0023
    • Rahul Lakkireddy's avatar
      cxgb4: fix SGE queue dump destination buffer context · 844900c7
      Rahul Lakkireddy authored
      [ Upstream commit 1992ded5 ]
      
      The data in destination buffer is expected to be be parsed in big
      endian. So, use the right context.
      
      Fixes following sparse warning:
      cudbg_lib.c:2041:44: warning: incorrect type in assignment (different
      base types)
      cudbg_lib.c:2041:44:    expected unsigned long long [usertype]
      cudbg_lib.c:2041:44:    got restricted __be64 [usertype]
      
      Fixes: 736c3b94 ("cxgb4: collect egress and ingress SGE queue contexts")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      844900c7
    • Rahul Lakkireddy's avatar
      cxgb4: use correct type for all-mask IP address comparison · adc91f3d
      Rahul Lakkireddy authored
      [ Upstream commit f286dd8e ]
      
      Use correct type to check for all-mask exact match IP addresses.
      
      Fixes following sparse warnings due to big endian value checks
      against 0xffffffff in is_addr_all_mask():
      cxgb4_filter.c:977:25: warning: restricted __be32 degrades to integer
      cxgb4_filter.c:983:37: warning: restricted __be32 degrades to integer
      cxgb4_filter.c:984:37: warning: restricted __be32 degrades to integer
      cxgb4_filter.c:985:37: warning: restricted __be32 degrades to integer
      cxgb4_filter.c:986:37: warning: restricted __be32 degrades to integer
      
      Fixes: 3eb8b62d ("cxgb4: add support to create hash-filters via tc-flower offload")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      adc91f3d
    • Rahul Lakkireddy's avatar
      cxgb4: parse TC-U32 key values and masks natively · a03acbd6
      Rahul Lakkireddy authored
      [ Upstream commit 27f78cb2 ]
      
      TC-U32 passes all keys values and masks in __be32 format. The parser
      already expects this and hence pass the value and masks in __be32
      natively to the parser.
      
      Fixes following sparse warnings in several places:
      cxgb4_tc_u32.c:57:21: warning: incorrect type in assignment (different base
      types)
      cxgb4_tc_u32.c:57:21:    expected unsigned int [usertype] val
      cxgb4_tc_u32.c:57:21:    got restricted __be32 [usertype] val
      cxgb4_tc_u32_parse.h:48:24: warning: cast to restricted __be32
      
      Fixes: 2e8aad7b ("cxgb4: add parser to translate u32 filters to internal spec")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a03acbd6
    • Rahul Lakkireddy's avatar
      cxgb4: use unaligned conversion for fetching timestamp · 638232fa
      Rahul Lakkireddy authored
      [ Upstream commit 589b1c9c ]
      
      Use get_unaligned_be64() to fetch the timestamp needed for ns_to_ktime()
      conversion.
      
      Fixes following sparse warning:
      sge.c:3282:43: warning: cast to restricted __be64
      
      Fixes: a4569504 ("cxgb4: time stamping interface for PTP")
      Signed-off-by: default avatarRahul Lakkireddy <rahul.lakkireddy@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      638232fa
    • Chen Tao's avatar
      drm/msm/dpu: fix error return code in dpu_encoder_init · 0dc5df49
      Chen Tao authored
      [ Upstream commit aa472721 ]
      
      Fix to return negative error code -ENOMEM with the use of
      ERR_PTR from dpu_encoder_init.
      
      Fixes: 25fdd593 ("drm/msm: Add SDM845 DPU support")
      Signed-off-by: default avatarChen Tao <chentao107@huawei.com>
      Signed-off-by: default avatarRob Clark <robdclark@chromium.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0dc5df49
    • Herbert Xu's avatar
      crypto: af_alg - fix use-after-free in af_alg_accept() due to bh_lock_sock() · 9a8ecc6a
      Herbert Xu authored
      commit 34c86f4c upstream.
      
      The locking in af_alg_release_parent is broken as the BH socket
      lock can only be taken if there is a code-path to handle the case
      where the lock is owned by process-context.  Instead of adding
      such handling, we can fix this by changing the ref counts to
      atomic_t.
      
      This patch also modifies the main refcnt to include both normal
      and nokey sockets.  This way we don't have to fudge the nokey
      ref count when a socket changes from nokey to normal.
      
      Credits go to Mauricio Faria de Oliveira who diagnosed this bug
      and sent a patch for it:
      
      https://lore.kernel.org/linux-crypto/20200605161657.535043-1-mfo@canonical.com/Reported-by: default avatarBrian Moyles <bmoyles@netflix.com>
      Reported-by: default avatarMauricio Faria de Oliveira <mfo@canonical.com>
      Fixes: 37f96694 ("crypto: af_alg - Use bh_lock_sock in...")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a8ecc6a
    • Douglas Anderson's avatar
      kgdb: Avoid suspicious RCU usage warning · a464152c
      Douglas Anderson authored
      [ Upstream commit 440ab9e1 ]
      
      At times when I'm using kgdb I see a splat on my console about
      suspicious RCU usage.  I managed to come up with a case that could
      reproduce this that looked like this:
      
        WARNING: suspicious RCU usage
        5.7.0-rc4+ #609 Not tainted
        -----------------------------
        kernel/pid.c:395 find_task_by_pid_ns() needs rcu_read_lock() protection!
      
        other info that might help us debug this:
      
          rcu_scheduler_active = 2, debug_locks = 1
        3 locks held by swapper/0/1:
         #0: ffffff81b6b8e988 (&dev->mutex){....}-{3:3}, at: __device_attach+0x40/0x13c
         #1: ffffffd01109e9e8 (dbg_master_lock){....}-{2:2}, at: kgdb_cpu_enter+0x20c/0x7ac
         #2: ffffffd01109ea90 (dbg_slave_lock){....}-{2:2}, at: kgdb_cpu_enter+0x3ec/0x7ac
      
        stack backtrace:
        CPU: 7 PID: 1 Comm: swapper/0 Not tainted 5.7.0-rc4+ #609
        Hardware name: Google Cheza (rev3+) (DT)
        Call trace:
         dump_backtrace+0x0/0x1b8
         show_stack+0x1c/0x24
         dump_stack+0xd4/0x134
         lockdep_rcu_suspicious+0xf0/0x100
         find_task_by_pid_ns+0x5c/0x80
         getthread+0x8c/0xb0
         gdb_serial_stub+0x9d4/0xd04
         kgdb_cpu_enter+0x284/0x7ac
         kgdb_handle_exception+0x174/0x20c
         kgdb_brk_fn+0x24/0x30
         call_break_hook+0x6c/0x7c
         brk_handler+0x20/0x5c
         do_debug_exception+0x1c8/0x22c
         el1_sync_handler+0x3c/0xe4
         el1_sync+0x7c/0x100
         rpmh_rsc_probe+0x38/0x420
         platform_drv_probe+0x94/0xb4
         really_probe+0x134/0x300
         driver_probe_device+0x68/0x100
         __device_attach_driver+0x90/0xa8
         bus_for_each_drv+0x84/0xcc
         __device_attach+0xb4/0x13c
         device_initial_probe+0x18/0x20
         bus_probe_device+0x38/0x98
         device_add+0x38c/0x420
      
      If I understand properly we should just be able to blanket kgdb under
      one big RCU read lock and the problem should go away.  We'll add it to
      the beast-of-a-function known as kgdb_cpu_enter().
      
      With this I no longer get any splats and things seem to work fine.
      Signed-off-by: default avatarDouglas Anderson <dianders@chromium.org>
      Link: https://lore.kernel.org/r/20200602154729.v2.1.I70e0d4fd46d5ed2aaf0c98a355e8e1b7a5bb7e4e@changeidSigned-off-by: default avatarDaniel Thompson <daniel.thompson@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      a464152c
    • Anton Eidelman's avatar
      nvme-multipath: fix deadlock between ana_work and scan_work · 460a7b7e
      Anton Eidelman authored
      [ Upstream commit 489dd102 ]
      
      When scan_work calls nvme_mpath_add_disk() this holds ana_lock
      and invokes nvme_parse_ana_log(), which may issue IO
      in device_add_disk() and hang waiting for an accessible path.
      While nvme_mpath_set_live() only called when nvme_state_is_live(),
      a transition may cause NVME_SC_ANA_TRANSITION and requeue the IO.
      
      In order to recover and complete the IO ana_work on the same ctrl
      should be able to update the path state and remove NVME_NS_ANA_PENDING.
      
      The deadlock occurs because scan_work keeps holding ana_lock,
      so ana_work hangs [1].
      
      Fix:
      Now nvme_mpath_add_disk() uses nvme_parse_ana_log() to obtain a copy
      of the ANA group desc, and then calls nvme_update_ns_ana_state() without
      holding ana_lock.
      
      [1]:
      kernel: Workqueue: nvme-wq nvme_scan_work [nvme_core]
      kernel: Call Trace:
      kernel:  __schedule+0x2b9/0x6c0
      kernel:  schedule+0x42/0xb0
      kernel:  io_schedule+0x16/0x40
      kernel:  do_read_cache_page+0x438/0x830
      kernel:  read_cache_page+0x12/0x20
      kernel:  read_dev_sector+0x27/0xc0
      kernel:  read_lba+0xc1/0x220
      kernel:  efi_partition+0x1e6/0x708
      kernel:  check_partition+0x154/0x244
      kernel:  rescan_partitions+0xae/0x280
      kernel:  __blkdev_get+0x40f/0x560
      kernel:  blkdev_get+0x3d/0x140
      kernel:  __device_add_disk+0x388/0x480
      kernel:  device_add_disk+0x13/0x20
      kernel:  nvme_mpath_set_live+0x119/0x140 [nvme_core]
      kernel:  nvme_update_ns_ana_state+0x5c/0x60 [nvme_core]
      kernel:  nvme_set_ns_ana_state+0x1e/0x30 [nvme_core]
      kernel:  nvme_parse_ana_log+0xa1/0x180 [nvme_core]
      kernel:  nvme_mpath_add_disk+0x47/0x90 [nvme_core]
      kernel:  nvme_validate_ns+0x396/0x940 [nvme_core]
      kernel:  nvme_scan_work+0x24f/0x380 [nvme_core]
      kernel:  process_one_work+0x1db/0x380
      kernel:  worker_thread+0x249/0x400
      kernel:  kthread+0x104/0x140
      
      kernel: Workqueue: nvme-wq nvme_ana_work [nvme_core]
      kernel: Call Trace:
      kernel:  __schedule+0x2b9/0x6c0
      kernel:  schedule+0x42/0xb0
      kernel:  schedule_preempt_disabled+0xe/0x10
      kernel:  __mutex_lock.isra.0+0x182/0x4f0
      kernel:  ? __switch_to_asm+0x34/0x70
      kernel:  ? select_task_rq_fair+0x1aa/0x5c0
      kernel:  ? kvm_sched_clock_read+0x11/0x20
      kernel:  ? sched_clock+0x9/0x10
      kernel:  __mutex_lock_slowpath+0x13/0x20
      kernel:  mutex_lock+0x2e/0x40
      kernel:  nvme_read_ana_log+0x3a/0x100 [nvme_core]
      kernel:  nvme_ana_work+0x15/0x20 [nvme_core]
      kernel:  process_one_work+0x1db/0x380
      kernel:  worker_thread+0x4d/0x400
      kernel:  kthread+0x104/0x140
      kernel:  ? process_one_work+0x380/0x380
      kernel:  ? kthread_park+0x80/0x80
      kernel:  ret_from_fork+0x35/0x40
      
      Fixes: 0d0b660f ("nvme: add ANA support")
      Signed-off-by: default avatarAnton Eidelman <anton@lightbitslabs.com>
      Signed-off-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      460a7b7e
    • Keith Busch's avatar
      nvme-multipath: set bdi capabilities once · 0d70b94f
      Keith Busch authored
      [ Upstream commit b2ce4d90 ]
      
      The queues' backing device info capabilities don't change with each
      namespace revalidation. Set it only when each path's request_queue
      is initially added to a multipath queue.
      Signed-off-by: default avatarKeith Busch <kbusch@kernel.org>
      Reviewed-by: default avatarSagi Grimberg <sagi@grimberg.me>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      0d70b94f
    • Christian Borntraeger's avatar
      s390/debug: avoid kernel warning on too large number of pages · 34035e78
      Christian Borntraeger authored
      [ Upstream commit 827c4913 ]
      
      When specifying insanely large debug buffers a kernel warning is
      printed. The debug code does handle the error gracefully, though.
      Instead of duplicating the check let us silence the warning to
      avoid crashes when panic_on_warn is used.
      Signed-off-by: default avatarChristian Borntraeger <borntraeger@de.ibm.com>
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      34035e78
    • Zqiang's avatar
      usb: usbtest: fix missing kfree(dev->buf) in usbtest_disconnect · 7b0f1f89
      Zqiang authored
      [ Upstream commit 28ebeb8d ]
      
      BUG: memory leak
      unreferenced object 0xffff888055046e00 (size 256):
        comm "kworker/2:9", pid 2570, jiffies 4294942129 (age 1095.500s)
        hex dump (first 32 bytes):
          00 70 04 55 80 88 ff ff 18 bb 5a 81 ff ff ff ff  .p.U......Z.....
          f5 96 78 81 ff ff ff ff 37 de 8e 81 ff ff ff ff  ..x.....7.......
        backtrace:
          [<00000000d121dccf>] kmemleak_alloc_recursive
      include/linux/kmemleak.h:43 [inline]
          [<00000000d121dccf>] slab_post_alloc_hook mm/slab.h:586 [inline]
          [<00000000d121dccf>] slab_alloc_node mm/slub.c:2786 [inline]
          [<00000000d121dccf>] slab_alloc mm/slub.c:2794 [inline]
          [<00000000d121dccf>] kmem_cache_alloc_trace+0x15e/0x2d0 mm/slub.c:2811
          [<000000005c3c3381>] kmalloc include/linux/slab.h:555 [inline]
          [<000000005c3c3381>] usbtest_probe+0x286/0x19d0
      drivers/usb/misc/usbtest.c:2790
          [<000000001cec6910>] usb_probe_interface+0x2bd/0x870
      drivers/usb/core/driver.c:361
          [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
          [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
          [<000000003ef66004>] __device_attach_driver+0x1b6/0x240
      drivers/base/dd.c:831
          [<00000000eee53e97>] bus_for_each_drv+0x14e/0x1e0 drivers/base/bus.c:431
          [<00000000bb0648d0>] __device_attach+0x1f9/0x350 drivers/base/dd.c:897
          [<00000000838b324a>] device_initial_probe+0x1a/0x20 drivers/base/dd.c:944
          [<0000000030d501c1>] bus_probe_device+0x1e1/0x280 drivers/base/bus.c:491
          [<000000005bd7adef>] device_add+0x131d/0x1c40 drivers/base/core.c:2504
          [<00000000a0937814>] usb_set_configuration+0xe84/0x1ab0
      drivers/usb/core/message.c:2030
          [<00000000e3934741>] generic_probe+0x6a/0xe0 drivers/usb/core/generic.c:210
          [<0000000098ade0f1>] usb_probe_device+0x90/0xd0
      drivers/usb/core/driver.c:266
          [<000000007806c118>] really_probe+0x48d/0x8f0 drivers/base/dd.c:551
          [<00000000a3308c3e>] driver_probe_device+0xfc/0x2a0 drivers/base/dd.c:724
      Acked-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: default avatarKyungtae Kim <kt0755@gmail.com>
      Signed-off-by: default avatarZqiang <qiang.zhang@windriver.com>
      Link: https://lore.kernel.org/r/20200612035210.20494-1-qiang.zhang@windriver.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      7b0f1f89
    • Qian Cai's avatar
      mm/slub: fix stack overruns with SLUB_STATS · 3e632652
      Qian Cai authored
      [ Upstream commit a68ee057 ]
      
      There is no need to copy SLUB_STATS items from root memcg cache to new
      memcg cache copies.  Doing so could result in stack overruns because the
      store function only accepts 0 to clear the stat and returns an error for
      everything else while the show method would print out the whole stat.
      
      Then, the mismatch of the lengths returns from show and store methods
      happens in memcg_propagate_slab_attrs():
      
      	else if (root_cache->max_attr_size < ARRAY_SIZE(mbuf))
      		buf = mbuf;
      
      max_attr_size is only 2 from slab_attr_store(), then, it uses mbuf[64]
      in show_stat() later where a bounch of sprintf() would overrun the stack
      variable.  Fix it by always allocating a page of buffer to be used in
      show_stat() if SLUB_STATS=y which should only be used for debug purpose.
      
        # echo 1 > /sys/kernel/slab/fs_cache/shrink
        BUG: KASAN: stack-out-of-bounds in number+0x421/0x6e0
        Write of size 1 at addr ffffc900256cfde0 by task kworker/76:0/53251
      
        Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
        Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func
        Call Trace:
          number+0x421/0x6e0
          vsnprintf+0x451/0x8e0
          sprintf+0x9e/0xd0
          show_stat+0x124/0x1d0
          alloc_slowpath_show+0x13/0x20
          __kmem_cache_create+0x47a/0x6b0
      
        addr ffffc900256cfde0 is located in stack of task kworker/76:0/53251 at offset 0 in frame:
         process_one_work+0x0/0xb90
      
        this frame has 1 object:
         [32, 72) 'lockdep_map'
      
        Memory state around the buggy address:
         ffffc900256cfc80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
         ffffc900256cfd00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        >ffffc900256cfd80: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
                                                               ^
         ffffc900256cfe00: 00 00 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00
         ffffc900256cfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        ==================================================================
        Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: __kmem_cache_create+0x6ac/0x6b0
        Workqueue: memcg_kmem_cache memcg_kmem_cache_create_func
        Call Trace:
          __kmem_cache_create+0x6ac/0x6b0
      
      Fixes: 107dab5c ("slub: slub-specific propagation changes")
      Signed-off-by: default avatarQian Cai <cai@lca.pw>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Glauber Costa <glauber@scylladb.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Link: http://lkml.kernel.org/r/20200429222356.4322-1-cai@lca.pwSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      3e632652
    • Dongli Zhang's avatar
      mm/slub.c: fix corrupted freechain in deactivate_slab() · 6c09755c
      Dongli Zhang authored
      [ Upstream commit 52f23478 ]
      
      The slub_debug is able to fix the corrupted slab freelist/page.
      However, alloc_debug_processing() only checks the validity of current
      and next freepointer during allocation path.  As a result, once some
      objects have their freepointers corrupted, deactivate_slab() may lead to
      page fault.
      
      Below is from a test kernel module when 'slub_debug=PUF,kmalloc-128
      slub_nomerge'.  The test kernel corrupts the freepointer of one free
      object on purpose.  Unfortunately, deactivate_slab() does not detect it
      when iterating the freechain.
      
        BUG: unable to handle page fault for address: 00000000123456f8
        #PF: supervisor read access in kernel mode
        #PF: error_code(0x0000) - not-present page
        PGD 0 P4D 0
        Oops: 0000 [#1] SMP PTI
        ... ...
        RIP: 0010:deactivate_slab.isra.92+0xed/0x490
        ... ...
        Call Trace:
         ___slab_alloc+0x536/0x570
         __slab_alloc+0x17/0x30
         __kmalloc+0x1d9/0x200
         ext4_htree_store_dirent+0x30/0xf0
         htree_dirblock_to_tree+0xcb/0x1c0
         ext4_htree_fill_tree+0x1bc/0x2d0
         ext4_readdir+0x54f/0x920
         iterate_dir+0x88/0x190
         __x64_sys_getdents+0xa6/0x140
         do_syscall_64+0x49/0x170
         entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Therefore, this patch adds extra consistency check in deactivate_slab().
      Once an object's freepointer is corrupted, all following objects
      starting at this object are isolated.
      
      [akpm@linux-foundation.org: fix build with CONFIG_SLAB_DEBUG=n]
      Signed-off-by: default avatarDongli Zhang <dongli.zhang@oracle.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Cc: Joe Jin <joe.jin@oracle.com>
      Cc: Christoph Lameter <cl@linux.com>
      Cc: Pekka Enberg <penberg@kernel.org>
      Cc: David Rientjes <rientjes@google.com>
      Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
      Link: http://lkml.kernel.org/r/20200331031450.12182-1-dongli.zhang@oracle.comSigned-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      6c09755c
    • Tuomas Tynkkynen's avatar
      usbnet: smsc95xx: Fix use-after-free after removal · 2a72aabd
      Tuomas Tynkkynen authored
      [ Upstream commit b835a71e ]
      
      Syzbot reports an use-after-free in workqueue context:
      
      BUG: KASAN: use-after-free in mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
       mutex_unlock+0x19/0x40 kernel/locking/mutex.c:737
       __smsc95xx_mdio_read drivers/net/usb/smsc95xx.c:217 [inline]
       smsc95xx_mdio_read+0x583/0x870 drivers/net/usb/smsc95xx.c:278
       check_carrier+0xd1/0x2e0 drivers/net/usb/smsc95xx.c:644
       process_one_work+0x777/0xf90 kernel/workqueue.c:2274
       worker_thread+0xa8f/0x1430 kernel/workqueue.c:2420
       kthread+0x2df/0x300 kernel/kthread.c:255
      
      It looks like that smsc95xx_unbind() is freeing the structures that are
      still in use by the concurrently running workqueue callback. Thus switch
      to using cancel_delayed_work_sync() to ensure the work callback really
      is no longer active.
      
      Reported-by: syzbot+29dc7d4ae19b703ff947@syzkaller.appspotmail.com
      Signed-off-by: default avatarTuomas Tynkkynen <tuomas.tynkkynen@iki.fi>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      2a72aabd
    • Borislav Petkov's avatar
      EDAC/amd64: Read back the scrub rate PCI register on F15h · a0b3103d
      Borislav Petkov authored
      [ Upstream commit ee470bb2 ]
      
      Commit:
      
        da92110d ("EDAC, amd64_edac: Extend scrub rate support to F15hM60h")
      
      added support for F15h, model 0x60 CPUs but in doing so, missed to read
      back SCRCTRL PCI config register on F15h CPUs which are *not* model
      0x60. Add that read so that doing
      
        $ cat /sys/devices/system/edac/mc/mc0/sdram_scrub_rate
      
      can show the previously set DRAM scrub rate.
      
      Fixes: da92110d ("EDAC, amd64_edac: Extend scrub rate support to F15hM60h")
      Reported-by: default avatarAnders Andersson <pipatron@gmail.com>
      Signed-off-by: default avatarBorislav Petkov <bp@suse.de>
      Cc: <stable@vger.kernel.org> #v4.4..
      Link: https://lkml.kernel.org/r/CAKkunMbNWppx_i6xSdDHLseA2QQmGJqj_crY=NF-GZML5np4Vw@mail.gmail.comSigned-off-by: default avatarSasha Levin <sashal@kernel.org>
      a0b3103d
    • Hugh Dickins's avatar
      mm: fix swap cache node allocation mask · fa11088c
      Hugh Dickins authored
      [ Upstream commit 243bce09 ]
      
      Chris Murphy reports that a slightly overcommitted load, testing swap
      and zram along with i915, splats and keeps on splatting, when it had
      better fail less noisily:
      
        gnome-shell: page allocation failure: order:0,
        mode:0x400d0(__GFP_IO|__GFP_FS|__GFP_COMP|__GFP_RECLAIMABLE),
        nodemask=(null),cpuset=/,mems_allowed=0
        CPU: 2 PID: 1155 Comm: gnome-shell Not tainted 5.7.0-1.fc33.x86_64 #1
        Call Trace:
          dump_stack+0x64/0x88
          warn_alloc.cold+0x75/0xd9
          __alloc_pages_slowpath.constprop.0+0xcfa/0xd30
          __alloc_pages_nodemask+0x2df/0x320
          alloc_slab_page+0x195/0x310
          allocate_slab+0x3c5/0x440
          ___slab_alloc+0x40c/0x5f0
          __slab_alloc+0x1c/0x30
          kmem_cache_alloc+0x20e/0x220
          xas_nomem+0x28/0x70
          add_to_swap_cache+0x321/0x400
          __read_swap_cache_async+0x105/0x240
          swap_cluster_readahead+0x22c/0x2e0
          shmem_swapin+0x8e/0xc0
          shmem_swapin_page+0x196/0x740
          shmem_getpage_gfp+0x3a2/0xa60
          shmem_read_mapping_page_gfp+0x32/0x60
          shmem_get_pages+0x155/0x5e0 [i915]
          __i915_gem_object_get_pages+0x68/0xa0 [i915]
          i915_vma_pin+0x3fe/0x6c0 [i915]
          eb_add_vma+0x10b/0x2c0 [i915]
          i915_gem_do_execbuffer+0x704/0x3430 [i915]
          i915_gem_execbuffer2_ioctl+0x1ea/0x3e0 [i915]
          drm_ioctl_kernel+0x86/0xd0 [drm]
          drm_ioctl+0x206/0x390 [drm]
          ksys_ioctl+0x82/0xc0
          __x64_sys_ioctl+0x16/0x20
          do_syscall_64+0x5b/0xf0
          entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Reported on 5.7, but it goes back really to 3.1: when
      shmem_read_mapping_page_gfp() was implemented for use by i915, and
      allowed for __GFP_NORETRY and __GFP_NOWARN flags in most places, but
      missed swapin's "& GFP_KERNEL" mask for page tree node allocation in
      __read_swap_cache_async() - that was to mask off HIGHUSER_MOVABLE bits
      from what page cache uses, but GFP_RECLAIM_MASK is now what's needed.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=208085
      Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2006151330070.11064@eggly.anvils
      Fixes: 68da9f05 ("tmpfs: pass gfp to shmem_getpage_gfp")
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Reviewed-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Reviewed-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
      Reported-by: default avatarChris Murphy <lists@colorremedies.com>
      Analyzed-by: default avatarVlastimil Babka <vbabka@suse.cz>
      Analyzed-by: default avatarMatthew Wilcox <willy@infradead.org>
      Tested-by: default avatarChris Murphy <lists@colorremedies.com>
      Cc: <stable@vger.kernel.org>	[3.1+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      fa11088c
    • Filipe Manana's avatar
      btrfs: fix a block group ref counter leak after failure to remove block group · b3317a79
      Filipe Manana authored
      [ Upstream commit 9fecd132 ]
      
      When removing a block group, if we fail to delete the block group's item
      from the extent tree, we jump to the 'out' label and end up decrementing
      the block group's reference count once only (by 1), resulting in a counter
      leak because the block group at that point was already removed from the
      block group cache rbtree - so we have to decrement the reference count
      twice, once for the rbtree and once for our lookup at the start of the
      function.
      
      There is a second bug where if removing the free space tree entries (the
      call to remove_block_group_free_space()) fails we end up jumping to the
      'out_put_group' label but end up decrementing the reference count only
      once, when we should have done it twice, since we have already removed
      the block group from the block group cache rbtree. This happens because
      the reference count decrement for the rbtree reference happens after
      attempting to remove the free space tree entries, which is far away from
      the place where we remove the block group from the rbtree.
      
      To make things less error prone, decrement the reference count for the
      rbtree immediately after removing the block group from it. This also
      eleminates the need for two different exit labels on error, renaming
      'out_put_label' to just 'out' and removing the old 'out'.
      
      Fixes: f6033c5e ("btrfs: fix block group leak when removing fails")
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarAnand Jain <anand.jain@oracle.com>
      Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b3317a79
  2. 01 Jul, 2020 21 commits