1. 03 Jun, 2020 16 commits
    • Lei Xue's avatar
      cachefiles: Fix race between read_waiter and read_copier involving op->to_do · e88c7721
      Lei Xue authored
      [ Upstream commit 7bb0c533 ]
      
      There is a potential race in fscache operation enqueuing for reading and
      copying multiple pages from cachefiles to netfs.  The problem can be seen
      easily on a heavy loaded system (for example many processes reading files
      continually on an NFS share covered by fscache triggered this problem within
      a few minutes).
      
      The race is due to cachefiles_read_waiter() adding the op to the monitor
      to_do list and then then drop the object->work_lock spinlock before
      completing fscache_enqueue_operation().  Once the lock is dropped,
      cachefiles_read_copier() grabs the op, completes processing it, and
      makes it through fscache_retrieval_complete() which sets the op->state to
      the final state of FSCACHE_OP_ST_COMPLETE(4).  When cachefiles_read_waiter()
      finally gets through the remainder of fscache_enqueue_operation()
      it sees the invalid state, and hits the ASSERTCMP and the following
      oops is seen:
      [ 2259.612361] FS-Cache:
      [ 2259.614785] FS-Cache: Assertion failed
      [ 2259.618639] FS-Cache: 4 == 5 is false
      [ 2259.622456] ------------[ cut here ]------------
      [ 2259.627190] kernel BUG at fs/fscache/operation.c:70!
      ...
      [ 2259.791675] RIP: 0010:[<ffffffffc061b4cf>]  [<ffffffffc061b4cf>] fscache_enqueue_operation+0xff/0x170 [fscache]
      [ 2259.802059] RSP: 0000:ffffa0263d543be0  EFLAGS: 00010046
      [ 2259.807521] RAX: 0000000000000019 RBX: ffffa01a4d390480 RCX: 0000000000000006
      [ 2259.814847] RDX: 0000000000000000 RSI: 0000000000000046 RDI: ffffa0263d553890
      [ 2259.822176] RBP: ffffa0263d543be8 R08: 0000000000000000 R09: ffffa0263c2d8708
      [ 2259.829502] R10: 0000000000001e7f R11: 0000000000000000 R12: ffffa01a4d390480
      [ 2259.844483] R13: ffff9fa9546c5920 R14: ffffa0263d543c80 R15: ffffa0293ff9bf10
      [ 2259.859554] FS:  00007f4b6efbd700(0000) GS:ffffa0263d540000(0000) knlGS:0000000000000000
      [ 2259.875571] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2259.889117] CR2: 00007f49e1624ff0 CR3: 0000012b38b38000 CR4: 00000000007607e0
      [ 2259.904015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 2259.918764] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [ 2259.933449] PKRU: 55555554
      [ 2259.943654] Call Trace:
      [ 2259.953592]  <IRQ>
      [ 2259.955577]  [<ffffffffc03a7c12>] cachefiles_read_waiter+0x92/0xf0 [cachefiles]
      [ 2259.978039]  [<ffffffffa34d3942>] __wake_up_common+0x82/0x120
      [ 2259.991392]  [<ffffffffa34d3a63>] __wake_up_common_lock+0x83/0xc0
      [ 2260.004930]  [<ffffffffa34d3510>] ? task_rq_unlock+0x20/0x20
      [ 2260.017863]  [<ffffffffa34d3ab3>] __wake_up+0x13/0x20
      [ 2260.030230]  [<ffffffffa34c72a0>] __wake_up_bit+0x50/0x70
      [ 2260.042535]  [<ffffffffa35bdcdb>] unlock_page+0x2b/0x30
      [ 2260.054495]  [<ffffffffa35bdd09>] page_endio+0x29/0x90
      [ 2260.066184]  [<ffffffffa368fc81>] mpage_end_io+0x51/0x80
      
      CPU1
      cachefiles_read_waiter()
       20 static int cachefiles_read_waiter(wait_queue_entry_t *wait, unsigned mode,
       21                                   int sync, void *_key)
       22 {
      ...
       61         spin_lock(&object->work_lock);
       62         list_add_tail(&monitor->op_link, &op->to_do);
       63         spin_unlock(&object->work_lock);
      <begin race window>
       64
       65         fscache_enqueue_retrieval(op);
      182 static inline void fscache_enqueue_retrieval(struct fscache_retrieval *op)
      183 {
      184         fscache_enqueue_operation(&op->op);
      185 }
       58 void fscache_enqueue_operation(struct fscache_operation *op)
       59 {
       60         struct fscache_cookie *cookie = op->object->cookie;
       61
       62         _enter("{OBJ%x OP%x,%u}",
       63                op->object->debug_id, op->debug_id, atomic_read(&op->usage));
       64
       65         ASSERT(list_empty(&op->pend_link));
       66         ASSERT(op->processor != NULL);
       67         ASSERT(fscache_object_is_available(op->object));
       68         ASSERTCMP(atomic_read(&op->usage), >, 0);
      <end race window>
      
      CPU2
      cachefiles_read_copier()
      168         while (!list_empty(&op->to_do)) {
      ...
      202                 fscache_end_io(op, monitor->netfs_page, error);
      203                 put_page(monitor->netfs_page);
      204                 fscache_retrieval_complete(op, 1);
      
      CPU1
       58 void fscache_enqueue_operation(struct fscache_operation *op)
       59 {
      ...
       69         ASSERTIFCMP(op->state != FSCACHE_OP_ST_IN_PROGRESS,
       70                     op->state, ==,  FSCACHE_OP_ST_CANCELLED);
      Signed-off-by: default avatarLei Xue <carmark.dlut@gmail.com>
      Signed-off-by: default avatarDave Wysochanski <dwysocha@redhat.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e88c7721
    • Bob Peterson's avatar
      gfs2: move privileged user check to gfs2_quota_lock_check · e9ec4592
      Bob Peterson authored
      [ Upstream commit 4ed0c308 ]
      
      Before this patch, function gfs2_quota_lock checked if it was called
      from a privileged user, and if so, it bypassed the quota check:
      superuser can operate outside the quotas.
      That's the wrong place for the check because the lock/unlock functions
      are separate from the lock_check function, and you can do lock and
      unlock without actually checking the quotas.
      
      This patch moves the check to gfs2_quota_lock_check.
      Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      e9ec4592
    • Chuhong Yuan's avatar
      net: microchip: encx24j600: add missed kthread_stop · b79c51ee
      Chuhong Yuan authored
      [ Upstream commit ff8ce319 ]
      
      This driver calls kthread_run() in probe, but forgets to call
      kthread_stop() in probe failure and remove.
      Add the missed kthread_stop() to fix it.
      Signed-off-by: default avatarChuhong Yuan <hslester96@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      b79c51ee
    • Stephen Warren's avatar
      gpio: tegra: mask GPIO IRQs during IRQ shutdown · 35a237b7
      Stephen Warren authored
      [ Upstream commit 0cf253ee ]
      
      The driver currently leaves GPIO IRQs unmasked even when the GPIO IRQ
      client has released the GPIO IRQ. This allows the HW to raise IRQs, and
      SW to process them, after shutdown. Fix this by masking the IRQ when it's
      shut down. This is usually taken care of by the irqchip core, but since
      this driver has a custom irq_shutdown implementation, it must do this
      explicitly itself.
      Signed-off-by: default avatarStephen Warren <swarren@nvidia.com>
      Link: https://lore.kernel.org/r/20200427232605.11608-1-swarren@wwwdotorg.orgSigned-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
      35a237b7
    • Kalderon, Michal's avatar
      IB/cma: Fix reference count leak when no ipv4 addresses are set · d14e9ab0
      Kalderon, Michal authored
      commit 963916fd upstream.
      
      Once in_dev_get is called to receive in_device pointer, the
      in_device reference counter is increased, but if there are
      no ipv4 addresses configured on the net-device the ifa_list
      will be null, resulting in a flow that doesn't call in_dev_put
      to decrease the ref_cnt.
      This was exposed when running RoCE over ipv6 without any ipv4
      addresses configured
      
      Fixes: commit 8e3867310c90 ("IB/cma: Fix a race condition in iboe_addr_get_sgid()")
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarAriel Elior <Ariel.Elior@cavium.com>
      Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
      Cc: Guenter Roeck <linux@roeck-us.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d14e9ab0
    • Dmitry V. Levin's avatar
      uapi: fix linux/if_pppol2tp.h userspace compilation errors · b3a6fd24
      Dmitry V. Levin authored
      commit a725eb15 upstream.
      
      Because of <linux/libc-compat.h> interface limitations, <netinet/in.h>
      provided by libc cannot be included after <linux/in.h>, therefore any
      header that includes <netinet/in.h> cannot be included after <linux/in.h>.
      
      Change uapi/linux/l2tp.h, the last uapi header that includes
      <netinet/in.h>, to include <linux/in.h> and <linux/in6.h> instead of
      <netinet/in.h> and use __SOCK_SIZE__ instead of sizeof(struct sockaddr)
      the same way as uapi/linux/in.h does, to fix linux/if_pppol2tp.h userspace
      compilation errors like this:
      
      In file included from /usr/include/linux/l2tp.h:12:0,
                       from /usr/include/linux/if_pppol2tp.h:21,
      /usr/include/netinet/in.h:31:8: error: redefinition of 'struct in_addr'
      
      Fixes: 47c3e778 ("net: l2tp: deprecate PPPOL2TP_MSG_* in favour of L2TP_MSG_*")
      Signed-off-by: default avatarDmitry V. Levin <ldv@altlinux.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarAsbjoern Sloth Toennesen <asbjorn@asbjorn.st>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b3a6fd24
    • Qiushi Wu's avatar
      net/mlx4_core: fix a memory leak bug. · 2256bf0e
      Qiushi Wu authored
      commit febfd9d3 upstream.
      
      In function mlx4_opreq_action(), pointer "mailbox" is not released,
      when mlx4_cmd_box() return and error, causing a memory leak bug.
      Fix this issue by going to "out" label, mlx4_free_cmd_mailbox() can
      free this pointer.
      
      Fixes: fe6f700d ("net/mlx4_core: Respond to operation request by firmware")
      Signed-off-by: default avatarQiushi Wu <wu000273@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2256bf0e
    • Qiushi Wu's avatar
      net: sun: fix missing release regions in cas_init_one(). · 6a6237db
      Qiushi Wu authored
      commit 5a730153 upstream.
      
      In cas_init_one(), "pdev" is requested by "pci_request_regions", but it
      was not released after a call of the function “pci_write_config_byte”
      failed. Thus replace the jump target “err_write_cacheline” by
      "err_out_free_res".
      
      Fixes: 1f26dac3 ("[NET]: Add Sun Cassini driver.")
      Signed-off-by: default avatarQiushi Wu <wu000273@umn.edu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a6237db
    • Moshe Shemesh's avatar
      net/mlx5: Add command entry handling completion · 87959b0f
      Moshe Shemesh authored
      [ Upstream commit 17d00e83 ]
      
      When FW response to commands is very slow and all command entries in
      use are waiting for completion we can have a race where commands can get
      timeout before they get out of the queue and handled. Timeout
      completion on uninitialized command will cause releasing command's
      buffers before accessing it for initialization and then we will get NULL
      pointer exception while trying access it. It may also cause releasing
      buffers of another command since we may have timeout completion before
      even allocating entry index for this command.
      Add entry handling completion to avoid this race.
      
      Fixes: e126ba97 ("mlx5: Add driver for Mellanox Connect-IB adapters")
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: default avatarEran Ben Elisha <eranbe@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      87959b0f
    • Manivannan Sadhasivam's avatar
      net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() · 4b55bd39
      Manivannan Sadhasivam authored
      [ Upstream commit d28ea1fb ]
      
      Once the traversal of the list is completed with list_for_each_entry(),
      the iterator (node) will point to an invalid object. So passing this to
      qrtr_local_enqueue() which is outside of the iterator block is erroneous
      eventhough the object is not used.
      
      So fix this by passing NULL to qrtr_local_enqueue().
      
      Fixes: bdabad3e ("net: Add Qualcomm IPC router")
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
      Signed-off-by: default avatarManivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
      Reviewed-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4b55bd39
    • Moshe Shemesh's avatar
      net/mlx5e: Update netdev txq on completions during closure · b651a011
      Moshe Shemesh authored
      [ Upstream commit 5e911e2c ]
      
      On sq closure when we free its descriptors, we should also update netdev
      txq on completions which would not arrive. Otherwise if we reopen sqs
      and attach them back, for example on fw fatal recovery flow, we may get
      tx timeout.
      
      Fixes: 29429f33 ("net/mlx5e: Timeout if SQ doesn't flush during close")
      Signed-off-by: default avatarMoshe Shemesh <moshe@mellanox.com>
      Reviewed-by: default avatarTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b651a011
    • Jere Leppänen's avatar
      sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed · 5e350e7c
      Jere Leppänen authored
      [ Upstream commit d3e8e4c1 ]
      
      Commit bdf6fa52 ("sctp: handle association restarts when the
      socket is closed.") starts shutdown when an association is restarted,
      if in SHUTDOWN-PENDING state and the socket is closed. However, the
      rationale stated in that commit applies also when in SHUTDOWN-SENT
      state - we don't want to move an association to ESTABLISHED state when
      the socket has been closed, because that results in an association
      that is unreachable from user space.
      
      The problem scenario:
      
      1.  Client crashes and/or restarts.
      
      2.  Server (using one-to-one socket) calls close(). SHUTDOWN is lost.
      
      3.  Client reconnects using the same addresses and ports.
      
      4.  Server's association is restarted. The association and the socket
          move to ESTABLISHED state, even though the server process has
          closed its descriptor.
      
      Also, after step 4 when the server process exits, some resources are
      leaked in an attempt to release the underlying inet sock structure in
      ESTABLISHED state:
      
          IPv4: Attempt to release TCP socket in state 1 00000000377288c7
      
      Fix by acting the same way as in SHUTDOWN-PENDING state. That is, if
      an association is restarted in SHUTDOWN-SENT state and the socket is
      closed, then start shutdown and don't move the association or the
      socket to ESTABLISHED state.
      
      Fixes: bdf6fa52 ("sctp: handle association restarts when the socket is closed.")
      Signed-off-by: default avatarJere Leppänen <jere.leppanen@nokia.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5e350e7c
    • Roman Mashak's avatar
      net sched: fix reporting the first-time use timestamp · 9a729a47
      Roman Mashak authored
      [ Upstream commit b15e6263 ]
      
      When a new action is installed, firstuse field of 'tcf_t' is explicitly set
      to 0. Value of zero means "new action, not yet used"; as a packet hits the
      action, 'firstuse' is stamped with the current jiffies value.
      
      tcf_tm_dump() should return 0 for firstuse if action has not yet been hit.
      
      Fixes: 48d8ee16 ("net sched actions: aggregate dumping of actions timeinfo")
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a729a47
    • Yuqi Jin's avatar
      net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" · f08aeb33
      Yuqi Jin authored
      [ Upstream commit a6211caa ]
      
      Commit adb03115 ("net: get rid of an signed integer overflow in ip_idents_reserve()")
      used atomic_cmpxchg to replace "atomic_add_return" inside the function
      "ip_idents_reserve". The reason was to avoid UBSAN warning.
      However, this change has caused performance degrade and in GCC-8,
      fno-strict-overflow is now mapped to -fwrapv -fwrapv-pointer
      and signed integer overflow is now undefined by default at all
      optimization levels[1]. Moreover, it was a bug in UBSAN vs -fwrapv
      /-fno-strict-overflow, so Let's revert it safely.
      
      [1] https://gcc.gnu.org/gcc-8/changes.htmlSuggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: Arvind Sankar <nivedita@alum.mit.edu>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jiong Wang <jiongwang@huawei.com>
      Signed-off-by: default avatarYuqi Jin <jinyuqi@huawei.com>
      Signed-off-by: default avatarShaokun Zhang <zhangshaokun@hisilicon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f08aeb33
    • Vadim Fedorenko's avatar
      net: ipip: fix wrong address family in init error path · 72e2d903
      Vadim Fedorenko authored
      [ Upstream commit 57ebc8f0 ]
      
      In case of error with MPLS support the code is misusing AF_INET
      instead of AF_MPLS.
      
      Fixes: 1b69e7e6 ("ipip: support MPLS over IPv4")
      Signed-off-by: default avatarVadim Fedorenko <vfedorenko@novek.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72e2d903
    • Eric Dumazet's avatar
      ax25: fix setsockopt(SO_BINDTODEVICE) · decc637b
      Eric Dumazet authored
      [ Upstream commit 687775ce ]
      
      syzbot was able to trigger this trace [1], probably by using
      a zero optlen.
      
      While we are at it, cap optlen to IFNAMSIZ - 1 instead of IFNAMSIZ.
      
      [1]
      BUG: KMSAN: uninit-value in strnlen+0xf9/0x170 lib/string.c:569
      CPU: 0 PID: 8807 Comm: syz-executor483 Not tainted 5.7.0-rc4-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x220 lib/dump_stack.c:118
       kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:121
       __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
       strnlen+0xf9/0x170 lib/string.c:569
       dev_name_hash net/core/dev.c:207 [inline]
       netdev_name_node_lookup net/core/dev.c:277 [inline]
       __dev_get_by_name+0x75/0x2b0 net/core/dev.c:778
       ax25_setsockopt+0xfa3/0x1170 net/ax25/af_ax25.c:654
       __compat_sys_setsockopt+0x4ed/0x910 net/compat.c:403
       __do_compat_sys_setsockopt net/compat.c:413 [inline]
       __se_compat_sys_setsockopt+0xdd/0x100 net/compat.c:410
       __ia32_compat_sys_setsockopt+0x62/0x80 net/compat.c:410
       do_syscall_32_irqs_on arch/x86/entry/common.c:339 [inline]
       do_fast_syscall_32+0x3bf/0x6d0 arch/x86/entry/common.c:398
       entry_SYSENTER_compat+0x68/0x77 arch/x86/entry/entry_64_compat.S:139
      RIP: 0023:0xf7f57dd9
      Code: 90 e8 0b 00 00 00 f3 90 0f ae e8 eb f9 8d 74 26 00 89 3c 24 c3 90 90 90 90 90 90 90 90 90 90 90 90 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90
      RSP: 002b:00000000ffae8c1c EFLAGS: 00000217 ORIG_RAX: 000000000000016e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000000101
      RDX: 0000000000000019 RSI: 0000000020000000 RDI: 0000000000000004
      RBP: 0000000000000012 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
      
      Local variable ----devname@ax25_setsockopt created at:
       ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536
       ax25_setsockopt+0xe6/0x1170 net/ax25/af_ax25.c:536
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      decc637b
  2. 27 May, 2020 24 commits