Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2019-19526

In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.

CVE
#web#ios#mac#apple#google#linux#js#git#oracle#kubernetes#intel#c++#perl#samba#vmware#lenovo#amd#bios#buffer_overflow#asus#huawei#auth#ibm#dell#sap#wifi

commit fd272dcd73353e737928d50497ec113fa1d347f2 Author: Greg Kroah-Hartman Date: Wed Nov 6 13:09:35 2019 +0100 Linux 5.3.9 commit e288c19a390318b82f25a34231c0f7e887dd3f0d Author: Takashi Iwai Date: Mon Oct 28 09:10:56 2019 +0100 Revert “ALSA: hda: Flush interrupts on disabling” [ Upstream commit 1a7f60b9df614bb36d14dc0c0bc898a31b2b506f ] This reverts commit caa8422d01e983782548648e125fd617cadcec3f. It turned out that this commit caused a regression at shutdown / reboot, as the synchronize_irq() calls seems blocking the whole shutdown. Also another part of the change about shuffling the call order looks suspicious; the azx_stop_chip() call disables the CORB / RIRB while the others may still need the CORB/RIRB update. Since the original commit itself was a cargo-fix, let’s revert the whole patch. Fixes: caa8422d01e9 (“ALSA: hda: Flush interrupts on disabling”) BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205333 BugLinK: https://bugs.freedesktop.org/show_bug.cgi?id=111174 Signed-off-by: Takashi Iwai Cc: Chris Wilson Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 0684db8ac8f5ca3d3e7b39736c23d06ec83a7933 Author: Sasha Levin Date: Tue Nov 5 21:09:19 2019 -0500 Revert “nvme: allow 64-bit results in passthru commands” This reverts commit 76d609da9ed1cc0dc780e2b539d7b827ce28f182. The patch adds new functionality and shouldn’t have been backported. Signed-off-by: Sasha Levin commit cf3531f507d2172cfbcbcff31cf68fccd91a94cf Author: Nicholas Piggin Date: Tue Oct 22 21:58:14 2019 +1000 powerpc/powernv: Fix CPU idle to be called with IRQs disabled [ Upstream commit 7d6475051fb3d9339c5c760ed9883bc0a9048b21 ] Commit e78a7614f3876 (“idle: Prevent late-arriving interrupts from disrupting offline”) changes arch_cpu_idle_dead to be called with interrupts disabled, which triggers the WARN in pnv_smp_cpu_kill_self. Fix this by fixing up irq_happened after hard disabling, rather than requiring there are no pending interrupts, similarly to what was done done until commit 2525db04d1cc5 (“powerpc/powernv: Simplify lazy IRQ handling in CPU offline”). Fixes: e78a7614f3876 (“idle: Prevent late-arriving interrupts from disrupting offline”) Reported-by: Paul Mackerras Signed-off-by: Nicholas Piggin [mpe: Add unexpected_mask rather than checking for known bad values, change the WARN_ON() to a WARN_ON_ONCE()] Signed-off-by: Michael Ellerman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit f909e9a21ac4389cbe93f1ce737c187a2f320515 Author: Qian Cai Date: Tue Aug 20 14:40:55 2019 -0400 sched/fair: Fix -Wunused-but-set-variable warnings [ Upstream commit 763a9ec06c409dcde2a761aac4bb83ff3938e0b3 ] Commit: de53fd7aedb1 (“sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices”) introduced a few compilation warnings: kernel/sched/fair.c: In function '__refill_cfs_bandwidth_runtime’: kernel/sched/fair.c:4365:6: warning: variable ‘now’ set but not used [-Wunused-but-set-variable] kernel/sched/fair.c: In function 'start_cfs_bandwidth’: kernel/sched/fair.c:4992:6: warning: variable ‘overrun’ set but not used [-Wunused-but-set-variable] Also, __refill_cfs_bandwidth_runtime() does no longer update the expiration time, so fix the comments accordingly. Signed-off-by: Qian Cai Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Ben Segall Reviewed-by: Dave Chiluk Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: [email protected] Fixes: de53fd7aedb1 (“sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices”) Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 88930e20b0235ca278bc86253896620f4c6de835 Author: Jason Gunthorpe Date: Thu Oct 24 23:49:13 2019 +0000 RDMA/mlx5: Use irq xarray locking for mkey_table [ Upstream commit 1524b12a6e02a85264af4ed208b034a2239ef374 ] The mkey_table xarray is touched by the reg_mr_callback() function which is called from a hard irq. Thus all other uses of xa_lock must use the _irq variants. WARNING: inconsistent lock state 5.4.0-rc1 #12 Not tainted -------------------------------- inconsistent {IN-HARDIRQ-W} -> {HARDIRQ-ON-W} usage. python3/343 [HC0[0]:SC0[0]:HE1:SE1] takes: ffff888182be1d40 (&(&xa->xa_lock)->rlock#3){?.-.}, at: xa_erase+0x12/0x30 {IN-HARDIRQ-W} state was registered at: lock_acquire+0xe1/0x200 _raw_spin_lock_irqsave+0x35/0x50 reg_mr_callback+0x2dd/0x450 [mlx5_ib] mlx5_cmd_exec_cb_handler+0x2c/0x70 [mlx5_core] mlx5_cmd_comp_handler+0x355/0x840 [mlx5_core] […] Possible unsafe locking scenario: CPU0 ---- lock(&(&xa->xa_lock)->rlock#3); lock(&(&xa->xa_lock)->rlock#3); *** DEADLOCK *** 2 locks held by python3/343: #0: ffff88818eb4bd38 (&uverbs_dev->disassociate_srcu){…}, at: ib_uverbs_ioctl+0xe5/0x1e0 [ib_uverbs] #1: ffff888176c76d38 (&file->hw_destroy_rwsem){++++}, at: uobj_destroy+0x2d/0x90 [ib_uverbs] stack backtrace: CPU: 3 PID: 343 Comm: python3 Not tainted 5.4.0-rc1 #12 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack+0x86/0xca print_usage_bug.cold.50+0x2e5/0x355 mark_lock+0x871/0xb50 ? match_held_lock+0x20/0x250 ? check_usage_forwards+0x240/0x240 __lock_acquire+0x7de/0x23a0 ? __kasan_check_read+0x11/0x20 ? mark_lock+0xae/0xb50 ? mark_held_locks+0xb0/0xb0 ? find_held_lock+0xca/0xf0 lock_acquire+0xe1/0x200 ? xa_erase+0x12/0x30 _raw_spin_lock+0x2a/0x40 ? xa_erase+0x12/0x30 xa_erase+0x12/0x30 mlx5_ib_dealloc_mw+0x55/0xa0 [mlx5_ib] uverbs_dealloc_mw+0x3c/0x70 [ib_uverbs] uverbs_free_mw+0x1a/0x20 [ib_uverbs] destroy_hw_idr_uobject+0x49/0xa0 [ib_uverbs] […] Fixes: 0417791536ae (“RDMA/mlx5: Add missing synchronize_srcu() for MW cases”) Link: https://lore.kernel.org/r/[email protected] Acked-by: Leon Romanovsky Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 36ac9b9e4a805c1e498f54d1bad4bf5821a85ffa Author: Justin Song Date: Thu Oct 24 12:27:14 2019 +0200 ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface [ Upstream commit e2995b95a914bbc6b5352be27d5d5f33ec802d2c ] This patch adds native DSD support for Gustard U16/X26 USB Interface. Tested using VID and fp->dsd_raw method. Signed-off-by: Justin Song Cc: Link: https://lore.kernel.org/r/CA+9XP1ipsFn+r3bCBKRinQv-JrJ+EHOGBdZWZoMwxFv0R8Y1MQ@mail.gmail.com Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit ee277d4f5926562c989ffdc792239b9369848a3a Author: Jussi Laako Date: Wed Aug 28 00:08:47 2019 +0300 ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel [ Upstream commit 0067e154b11e236d62a7a8205f321b097c21a35b ] Oppo has issued firmware updates that change alt setting used for DSD support. However, these devices seem to support auto-detection, so support is moved from explicit whitelisting to auto-detection. Also Rotel devices have USB interfaces that support DSD with auto-detection. Signed-off-by: Jussi Laako Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 7eaad275013bf95ade9761c4dc8469dbb87335e8 Author: Jussi Laako Date: Wed Aug 28 00:08:46 2019 +0300 ALSA: usb-audio: DSD auto-detection for Playback Designs [ Upstream commit eb7505d52a2f8b0cfc3fd7146d8cb2dab5a73f0d ] Add DSD support auto-detection for newer Playback Designs devices. Older device generations have a different USB interface implementation. Keep the auto-detection VID whitelist sorted. Signed-off-by: Jussi Laako Signed-off-by: Takashi Iwai Signed-off-by: Sasha Levin commit 2bd11026299bdcb6d4b751d584913433b6d9b0b6 Author: Dave Chiluk Date: Tue Jul 23 11:44:26 2019 -0500 sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices commit de53fd7aedb100f03e5d2231cfce0e4993282425 upstream. It has been observed, that highly-threaded, non-cpu-bound applications running under cpu.cfs_quota_us constraints can hit a high percentage of periods throttled while simultaneously not consuming the allocated amount of quota. This use case is typical of user-interactive non-cpu bound applications, such as those running in kubernetes or mesos when run on multiple cpu cores. This has been root caused to cpu-local run queue being allocated per cpu bandwidth slices, and then not fully using that slice within the period. At which point the slice and quota expires. This expiration of unused slice results in applications not being able to utilize the quota for which they are allocated. The non-expiration of per-cpu slices was recently fixed by 'commit 512ac999d275 (“sched/fair: Fix bandwidth timer clock drift condition”)‘. Prior to that it appears that this had been broken since at least ‘commit 51f2176d74ac (“sched/fair: Fix unlocked reads of some cfs_b->quota/period”)' which was introduced in v3.16-rc1 in 2014. That added the following conditional which resulted in slices never being expired. if (cfs_rq->runtime_expires != cfs_b->runtime_expires) { /* extend local deadline, drift is bounded above by 2 ticks */ cfs_rq->runtime_expires += TICK_NSEC; Because this was broken for nearly 5 years, and has recently been fixed and is now being noticed by many users running kubernetes (https://github.com/kubernetes/kubernetes/issues/67577) it is my opinion that the mechanisms around expiring runtime should be removed altogether. This allows quota already allocated to per-cpu run-queues to live longer than the period boundary. This allows threads on runqueues that do not use much CPU to continue to use their remaining slice over a longer period of time than cpu.cfs_period_us. However, this helps prevent the above condition of hitting throttling while also not fully utilizing your cpu quota. This theoretically allows a machine to use slightly more than its allotted quota in some periods. This overflow would be bounded by the remaining quota left on each per-cpu runqueueu. This is typically no more than min_cfs_rq_runtime=1ms per cpu. For CPU bound tasks this will change nothing, as they should theoretically fully utilize all of their quota in each period. For user-interactive tasks as described above this provides a much better user/application experience as their cpu utilization will more closely match the amount they requested when they hit throttling. This means that cpu limits no longer strictly apply per period for non-cpu bound applications, but that they are still accurate over longer timeframes. This greatly improves performance of high-thread-count, non-cpu bound applications with low cfs_quota_us allocation on high-core-count machines. In the case of an artificial testcase (10ms/100ms of quota on 80 CPU machine), this commit resulted in almost 30x performance improvement, while still maintaining correct cpu quota restrictions. That testcase is available at https://github.com/indeedeng/fibtest. Fixes: 512ac999d275 (“sched/fair: Fix bandwidth timer clock drift condition”) Signed-off-by: Dave Chiluk Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Phil Auld Reviewed-by: Ben Segall Cc: Ingo Molnar Cc: John Hammond Cc: Jonathan Corbet Cc: Kyle Anderson Cc: Gabriel Munos Cc: Peter Oskolkov Cc: Cong Wang Cc: Brendan Gregg Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit bec05e4609d6962722987a2eeda42db04319d6eb Author: Luca Coelho Date: Tue Oct 8 13:10:53 2019 +0300 iwlwifi: exclude GEO SAR support for 3168 commit 12e36d98d3e5acf5fc57774e0a15906d55f30cb9 upstream. We currently support two NICs in FW version 29, namely 7265D and 3168. Out of these, only 7265D supports GEO SAR, so adjust the function that checks for it accordingly. Signed-off-by: Luca Coelho Fixes: f5a47fae6aa3 (“iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support”) Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 83a307d114c02412900704f5a2afe5c72e6d5470 Author: Vlad Buslov Date: Tue Sep 24 18:51:18 2019 +0300 net: sched: sch_sfb: don’t call qdisc_put() while holding tree lock commit e3ae1f96accd21405715fe9c56b4d83bc7d96d44 upstream. Recent changes that removed rtnl dependency from rules update path of tc also made tcf_block_put() function sleeping. This function is called from ops->destroy() of several Qdisc implementations, which in turn is called by qdisc_put(). Some Qdiscs call qdisc_put() while holding sch tree spinlock, which results sleeping-while-atomic BUG. Steps to reproduce for sfb: tc qdisc add dev ens1f0 handle 1: root sfb tc qdisc add dev ens1f0 parent 1:10 handle 50: sfq perturb 10 tc qdisc change dev ens1f0 root handle 1: sfb Resulting dmesg: [ 7265.938717] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:909 [ 7265.940152] in_atomic(): 1, irqs_disabled(): 0, pid: 28579, name: tc [ 7265.941455] INFO: lockdep is turned off. [ 7265.942744] CPU: 11 PID: 28579 Comm: tc Tainted: G W 5.3.0-rc8+ #721 [ 7265.944065] Hardware name: Supermicro SYS-2028TP-DECR/X10DRT-P, BIOS 2.0b 03/30/2017 [ 7265.945396] Call Trace: [ 7265.946709] dump_stack+0x85/0xc0 [ 7265.947994] ___might_sleep.cold+0xac/0xbc [ 7265.949282] __mutex_lock+0x5b/0x960 [ 7265.950543] ? tcf_chain0_head_change_cb_del.isra.0+0x1b/0xf0 [ 7265.951803] ? tcf_chain0_head_change_cb_del.isra.0+0x1b/0xf0 [ 7265.953022] tcf_chain0_head_change_cb_del.isra.0+0x1b/0xf0 [ 7265.954248] tcf_block_put_ext.part.0+0x21/0x50 [ 7265.955478] tcf_block_put+0x50/0x70 [ 7265.956694] sfq_destroy+0x15/0x50 [sch_sfq] [ 7265.957898] qdisc_destroy+0x5f/0x160 [ 7265.959099] sfb_change+0x175/0x330 [sch_sfb] [ 7265.960304] tc_modify_qdisc+0x324/0x840 [ 7265.961503] rtnetlink_rcv_msg+0x170/0x4b0 [ 7265.962692] ? netlink_deliver_tap+0x95/0x400 [ 7265.963876] ? rtnl_dellink+0x2d0/0x2d0 [ 7265.965064] netlink_rcv_skb+0x49/0x110 [ 7265.966251] netlink_unicast+0x171/0x200 [ 7265.967427] netlink_sendmsg+0x224/0x3f0 [ 7265.968595] sock_sendmsg+0x5e/0x60 [ 7265.969753] ___sys_sendmsg+0x2ae/0x330 [ 7265.970916] ? ___sys_recvmsg+0x159/0x1f0 [ 7265.972074] ? do_wp_page+0x9c/0x790 [ 7265.973233] ? __handle_mm_fault+0xcd3/0x19e0 [ 7265.974407] __sys_sendmsg+0x59/0xa0 [ 7265.975591] do_syscall_64+0x5c/0xb0 [ 7265.976753] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 7265.977938] RIP: 0033:0x7f229069f7b8 [ 7265.979117] Code: 89 02 48 c7 c0 ff ff ff ff eb bb 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 8d 05 65 8f 0c 00 8b 00 85 c0 75 17 b8 2e 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 89 5 4 [ 7265.981681] RSP: 002b:00007ffd7ed2d158 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 7265.983001] RAX: ffffffffffffffda RBX: 000000005d813ca1 RCX: 00007f229069f7b8 [ 7265.984336] RDX: 0000000000000000 RSI: 00007ffd7ed2d1c0 RDI: 0000000000000003 [ 7265.985682] RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000165c9a0 [ 7265.987021] R10: 0000000000404eda R11: 0000000000000246 R12: 0000000000000001 [ 7265.988309] R13: 000000000047f640 R14: 0000000000000000 R15: 0000000000000000 In sfb_change() function use qdisc_purge_queue() instead of qdisc_tree_flush_backlog() to properly reset old child Qdisc and save pointer to it into local temporary variable. Put reference to Qdisc after sch tree lock is released in order not to call potentially sleeping cls API in atomic section. This is safe to do because Qdisc has already been reset by qdisc_purge_queue() inside sch tree lock critical section. Reported-by: [email protected] Fixes: c266f64dbfa2 (“net: sched: protect block state with mutex”) Suggested-by: Cong Wang Signed-off-by: Vlad Buslov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f0f89d73a64ed0e17a50ac1ebe83d54f4a21fdfa Author: Eric Dumazet Date: Tue Sep 24 13:11:26 2019 -0700 sch_netem: fix rcu splat in netem_enqueue() commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream. qdisc_root() use from netem_enqueue() triggers a lockdep warning. __dev_queue_xmit() uses rcu_read_lock_bh() which is not equivalent to rcu_read_lock() + local_bh_disable_bh as far as lockdep is concerned. WARNING: suspicious RCU usage 5.3.0-rc7+ #0 Not tainted ----------------------------- include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by syz-executor427/8855: #0: 00000000b5525c01 (rcu_read_lock_bh){…}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #0: 00000000b5525c01 (rcu_read_lock_bh){…}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214 #1: 00000000b5525c01 (rcu_read_lock_bh){…}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804 #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline] #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838 stack backtrace: CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357 qdisc_root include/net/sch_generic.h:492 [inline] netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479 __dev_xmit_skb net/core/dev.c:3527 [inline] __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838 dev_queue_xmit+0x18/0x20 net/core/dev.c:3902 neigh_hh_output include/net/neighbour.h:500 [inline] neigh_output include/net/neighbour.h:509 [inline] ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290 ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417 dst_output include/net/dst.h:436 [inline] ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125 ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555 udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887 udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174 inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 84ff781b4225264b8d47b37cbbd01e7d4370487a Author: Valentin Vidic Date: Tue Oct 15 22:20:20 2019 +0200 net: usb: sr9800: fix uninitialized local variable commit 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 upstream. Make sure res does not contain random value if the call to sr_read_cmd fails for some reason. Reported-by: [email protected] Signed-off-by: Valentin Vidic Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7de4f28bdd4dc0dfa16d962f37b53aefaba9f70 Author: Eric Dumazet Date: Wed Oct 9 09:19:13 2019 -0700 netfilter: conntrack: avoid possible false sharing commit e37542ba111f3974dc622ae0a21c1787318de500 upstream. As hinted by KCSAN, we need at least one READ_ONCE() to prevent a compiler optimization. More details on : https://github.com/google/ktsan/wiki/READ_ONCE-and-WRITE_ONCE#it-may-improve-performance sysbot report : BUG: KCSAN: data-race in __nf_ct_refresh_acct / __nf_ct_refresh_acct read to 0xffff888123eb4f08 of 4 bytes by interrupt on cpu 0: __nf_ct_refresh_acct+0xd4/0x1b0 net/netfilter/nf_conntrack_core.c:1796 nf_ct_refresh_acct include/net/netfilter/nf_conntrack.h:201 [inline] nf_conntrack_tcp_packet+0xd40/0x3390 net/netfilter/nf_conntrack_proto_tcp.c:1161 nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1633 [inline] nf_conntrack_in+0x410/0xaa0 net/netfilter/nf_conntrack_core.c:1727 ipv4_conntrack_in+0x27/0x40 net/netfilter/nf_conntrack_proto.c:178 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] nf_hook_slow+0x83/0x160 net/netfilter/core.c:512 nf_hook include/linux/netfilter.h:260 [inline] NF_HOOK include/linux/netfilter.h:303 [inline] ip_rcv+0x12f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5004 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5118 netif_receive_skb_internal+0x59/0x190 net/core/dev.c:5208 napi_skb_finish net/core/dev.c:5671 [inline] napi_gro_receive+0x28f/0x330 net/core/dev.c:5704 receive_buf+0x284/0x30b0 drivers/net/virtio_net.c:1061 virtnet_receive drivers/net/virtio_net.c:1323 [inline] virtnet_poll+0x436/0x7d0 drivers/net/virtio_net.c:1428 napi_poll net/core/dev.c:6352 [inline] net_rx_action+0x3ae/0xa50 net/core/dev.c:6418 __do_softirq+0x115/0x33f kernel/softirq.c:292 write to 0xffff888123eb4f08 of 4 bytes by task 7191 on cpu 1: __nf_ct_refresh_acct+0xfb/0x1b0 net/netfilter/nf_conntrack_core.c:1797 nf_ct_refresh_acct include/net/netfilter/nf_conntrack.h:201 [inline] nf_conntrack_tcp_packet+0xd40/0x3390 net/netfilter/nf_conntrack_proto_tcp.c:1161 nf_conntrack_handle_packet net/netfilter/nf_conntrack_core.c:1633 [inline] nf_conntrack_in+0x410/0xaa0 net/netfilter/nf_conntrack_core.c:1727 ipv4_conntrack_local+0xbe/0x130 net/netfilter/nf_conntrack_proto.c:200 nf_hook_entry_hookfn include/linux/netfilter.h:135 [inline] nf_hook_slow+0x83/0x160 net/netfilter/core.c:512 nf_hook include/linux/netfilter.h:260 [inline] __ip_local_out+0x1f7/0x2b0 net/ipv4/ip_output.c:114 ip_local_out+0x31/0x90 net/ipv4/ip_output.c:123 __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532 ip_queue_xmit+0x45/0x60 include/net/ip.h:236 __tcp_transmit_skb+0xdeb/0x1cd0 net/ipv4/tcp_output.c:1158 __tcp_send_ack+0x246/0x300 net/ipv4/tcp_output.c:3685 tcp_send_ack+0x34/0x40 net/ipv4/tcp_output.c:3691 tcp_cleanup_rbuf+0x130/0x360 net/ipv4/tcp.c:1575 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 7191 Comm: syz-fuzzer Not tainted 5.3.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: cc16921351d8 (“netfilter: conntrack: avoid same-timeout update”) Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Jozsef Kadlecsik Cc: Florian Westphal Acked-by: Pablo Neira Ayuso Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 0887512e0140954d3d59d2b2c5de17161c96e1d4 Author: Eric Dumazet Date: Mon Oct 7 15:43:01 2019 -0700 bonding: fix potential NULL deref in bond_update_slave_arr commit a7137534b597b7c303203e6bc3ed87e87a273bb8 upstream. syzbot got a NULL dereference in bond_update_slave_arr() [1], happening after a failure to allocate bond->slave_arr A workqueue (bond_slave_arr_handler) is supposed to retry the allocation later, but if the slave is removed before the workqueue had a chance to complete, bond->slave_arr can still be NULL. [1] Failed to build slave-array. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN PTI Modules linked in: Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039 RSP: 0018:ffff88018fe33678 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000 RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20 RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0 FS: 00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923 [] bond_release drivers/net/bonding/bond_main.c:2039 [inline] [] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562 [] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328 [] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495 [] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088 [] sock_ioctl+0x300/0x5d0 net/socket.c:1196 [] vfs_ioctl fs/ioctl.c:47 [inline] [] file_ioctl fs/ioctl.c:501 [inline] [] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688 [] SYSC_ioctl fs/ioctl.c:705 [inline] [] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696 [] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 [] entry_SYSCALL_64_after_hwframe+0x42/0xb7 Fixes: ee6377147409 (“bonding: Simplify the xmit function for modes that use xmit_hash”) Signed-off-by: Eric Dumazet Reported-by: syzbot Cc: Mahesh Bandewar Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit d0a11dbe9e938ea9c587d1e1124b0bd36ae1e253 Author: Johan Hovold Date: Mon Oct 7 18:40:59 2019 +0200 NFC: pn533: fix use-after-free and memleaks commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream. The driver would fail to deregister and its class device and free related resources on late probe errors. Reported-by: [email protected] Fixes: 32ecc75ded72 (“NFC: pn533: change order operations in dev registation”) Signed-off-by: Johan Hovold Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 63e93bdd123f48249c1c361b173b1e1e0914c5ec Author: David Howells Date: Mon Oct 7 10:58:29 2019 +0100 rxrpc: Fix trace-after-put looking at the put peer record commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 upstream. rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement of the refcount - which looks at the debug_id in the peer record. But unless the refcount was reduced to zero, we no longer have the right to look in the record and, indeed, it may be deleted by some other thread. Fix this by getting the debug_id out before decrementing the refcount and then passing that into the tracepoint. This can cause the following symptoms: BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411 [inline] BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0 net/rxrpc/peer_object.c:435 Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216 Fixes: 1159d4b496f5 (“rxrpc: Add a tracepoint to track rxrpc_peer refcounting”) Reported-by: [email protected] Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit 9b7fc03b4cdbfb668b6891967105258691c6d3b5 Author: David Howells Date: Mon Oct 7 10:58:29 2019 +0100 rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream. The rxrpc_peer record needs to hold a reference on the rxrpc_local record it points as the peer is used as a base to access information in the rxrpc_local record. This can cause problems in __rxrpc_put_peer(), where we need the network namespace pointer, and in rxrpc_send_keepalive(), where we need to access the UDP socket, leading to symptoms like: BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411 [inline] BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0 net/rxrpc/peer_object.c:435 Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216 Fix this by taking a ref on the local record for the peer record. Fixes: ace45bec6d77 (“rxrpc: Fix firewall route keepalive”) Fixes: 2baec2c3f854 (“rxrpc: Support network namespacing”) Reported-by: [email protected] Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit e4cefc83207f1ac93367bcc13b6c7e3a2774a946 Author: David Howells Date: Mon Oct 7 10:58:28 2019 +0100 rxrpc: Fix call ref leak commit c48fc11b69e95007109206311b0187a3090591f3 upstream. When sendmsg() finds a call to continue on with, if the call is in an inappropriate state, it doesn’t release the ref it just got on that call before returning an error. This causes the following symptom to show up with kasan: BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940 net/rxrpc/output.c:635 Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077 where line 635 is: whdr.epoch = htonl(peer->local->rxnet->epoch); The local endpoint (which cannot be pinned by the call) has been released, but not the peer (which is pinned by the call). Fix this by releasing the call in the error path. Fixes: 37411cad633f (“rxrpc: Fix potential NULL-pointer exception”) Reported-by: [email protected] Signed-off-by: David Howells Signed-off-by: Greg Kroah-Hartman commit ceb4fc420c7e98f7baabe4f784a113c608556989 Author: Eric Biggers Date: Sun Oct 6 14:24:25 2019 -0700 llc: fix sk_buff leak in llc_conn_service() commit b74555de21acd791f12c4a1aeaf653dd7ac21133 upstream. syzbot reported: BUG: memory leak unreferenced object 0xffff88811eb3de00 (size 224): comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 … 00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff …8$… backtrace: [<000000008d1c66a1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline] [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline] [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline] [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54 [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777 [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline] [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75 [<00000000f27e53c1>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109 [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477 [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840 […] The bug is that most callers of llc_conn_send_pdu() assume it consumes a reference to the skb, when actually due to commit b85ab56c3f81 (“llc: properly handle dev_queue_xmit() return value”) it doesn’t. Revert most of that commit, and instead make the few places that need llc_conn_send_pdu() to *not* consume a reference call skb_get() before. Fixes: b85ab56c3f81 (“llc: properly handle dev_queue_xmit() return value”) Reported-by: [email protected] Signed-off-by: Eric Biggers Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit a95b751c93aa8beedd51399da85ccc6612d93e1f Author: Eric Biggers Date: Sun Oct 6 14:24:24 2019 -0700 llc: fix sk_buff leak in llc_sap_state_process() commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream. syzbot reported: BUG: memory leak unreferenced object 0xffff888116270800 (size 224): comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 … 00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff . .*…@=*… backtrace: [<000000004d41b4cc>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline] [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline] [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline] [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline] [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671 [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 […] The bug is that llc_sap_state_process() always takes an extra reference to the skb, but sometimes neither llc_sap_next_state() nor llc_sap_state_process() itself drops this reference. Fix it by changing llc_sap_next_state() to never consume a reference to the skb, rather than sometimes do so and sometimes not. Then remove the extra skb_get() and kfree_skb() from llc_sap_state_process(). Reported-by: [email protected] Reported-by: [email protected] Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”) Signed-off-by: Eric Biggers Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman commit 7ba8591828b2fbfc839617a1e8a1e340a1bb0f9a Author: Sven Eckelmann Date: Thu Oct 3 17:02:01 2019 +0200 batman-adv: Avoid free/alloc race when handling OGM buffer commit 40e220b4218bb3d278e5e8cc04ccdfd1c7ff8307 upstream. Each slave interface of an B.A.T.M.A.N. IV virtual interface has an OGM packet buffer which is initialized using data from netdevice notifier and other rtnetlink related hooks. It is sent regularly via various slave interfaces of the batadv virtual interface and in this process also modified (realloced) to integrate additional state information via TVLV containers. It must be avoided that the worker item is executed without a common lock with the netdevice notifier/rtnetlink helpers. Otherwise it can either happen that half modified/freed data is sent out or functions modifying the OGM buffer try to access already freed memory regions. Reported-by: [email protected] Fixes: c6c8fea29769 (“net: Add batman-adv meshing protocol”) Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Greg Kroah-Hartman commit ebb971b61d32f2eec8823c2f75b9ce2c6717844d Author: John Donnelly Date: Mon Oct 21 21:48:10 2019 -0500 iommu/vt-d: Fix panic after kexec -p for kdump commit 160c63f909ffbc797c0bbe23310ac1eaf2349d2f upstream. This cures a panic on restart after a kexec operation on 5.3 and 5.4 kernels. The underlying state of the iommu registers (iommu->flags & VTD_FLAG_TRANS_PRE_ENABLED) on a restart results in a domain being marked as “DEFER_DEVICE_DOMAIN_INFO” that produces an Oops in identity_mapping(). [ 43.654737] BUG: kernel NULL pointer dereference, address: 0000000000000056 [ 43.655720] #PF: supervisor read access in kernel mode [ 43.655720] #PF: error_code(0x0000) - not-present page [ 43.655720] PGD 0 P4D 0 [ 43.655720] Oops: 0000 [#1] SMP PTI [ 43.655720] CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.3.2-1940.el8uek.x86_64 #1 [ 43.655720] Hardware name: Oracle Corporation ORACLE SERVER X5-2/ASM,MOTHERBOARD,1U, BIOS 30140300 09/20/2018 [ 43.655720] RIP: 0010:iommu_need_mapping+0x29/0xd0 [ 43.655720] Code: 00 0f 1f 44 00 00 48 8b 97 70 02 00 00 48 83 fa ff 74 53 48 8d 4a ff b8 01 00 00 00 48 83 f9 fd 76 01 c3 48 8b 35 7f 58 e0 01 <48> 39 72 58 75 f2 55 48 89 e5 41 54 53 48 8b 87 28 02 00 00 4c 8b [ 43.655720] RSP: 0018:ffffc9000001b9b0 EFLAGS: 00010246 [ 43.655720] RAX: 0000000000000001 RBX: 0000000000001000 RCX: fffffffffffffffd [ 43.655720] RDX: fffffffffffffffe RSI: ffff8880719b8000 RDI: ffff8880477460b0 [ 43.655720] RBP: ffffc9000001b9e8 R08: 0000000000000000 R09: ffff888047c01700 [ 43.655720] R10: 00002194036fc692 R11: 0000000000000000 R12: 0000000000000000 [ 43.655720] R13: ffff8880477460b0 R14: 0000000000000cc0 R15: ffff888072d2b558 [ 43.655720] FS: 0000000000000000(0000) GS:ffff888071c00000(0000) knlGS:0000000000000000 [ 43.655720] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 43.655720] CR2: 0000000000000056 CR3: 000000007440a002 CR4: 00000000001606b0 [ 43.655720] Call Trace: [ 43.655720] ? intel_alloc_coherent+0x2a/0x180 [ 43.655720] ? __schedule+0x2c2/0x650 [ 43.655720] dma_alloc_attrs+0x8c/0xd0 [ 43.655720] dma_pool_alloc+0xdf/0x200 [ 43.655720] ehci_qh_alloc+0x58/0x130 [ 43.655720] ehci_setup+0x287/0x7ba [ 43.655720] ? _dev_info+0x6c/0x83 [ 43.655720] ehci_pci_setup+0x91/0x436 [ 43.655720] usb_add_hcd.cold.48+0x1d4/0x754 [ 43.655720] usb_hcd_pci_probe+0x2bc/0x3f0 [ 43.655720] ehci_pci_probe+0x39/0x40 [ 43.655720] local_pci_probe+0x47/0x80 [ 43.655720] pci_device_probe+0xff/0x1b0 [ 43.655720] really_probe+0xf5/0x3a0 [ 43.655720] driver_probe_device+0xbb/0x100 [ 43.655720] device_driver_attach+0x58/0x60 [ 43.655720] __driver_attach+0x8f/0x150 [ 43.655720] ? device_driver_attach+0x60/0x60 [ 43.655720] bus_for_each_dev+0x74/0xb0 [ 43.655720] driver_attach+0x1e/0x20 [ 43.655720] bus_add_driver+0x151/0x1f0 [ 43.655720] ? ehci_hcd_init+0xb2/0xb2 [ 43.655720] ? do_early_param+0x95/0x95 [ 43.655720] driver_register+0x70/0xc0 [ 43.655720] ? ehci_hcd_init+0xb2/0xb2 [ 43.655720] __pci_register_driver+0x57/0x60 [ 43.655720] ehci_pci_init+0x6a/0x6c [ 43.655720] do_one_initcall+0x4a/0x1fa [ 43.655720] ? do_early_param+0x95/0x95 [ 43.655720] kernel_init_freeable+0x1bd/0x262 [ 43.655720] ? rest_init+0xb0/0xb0 [ 43.655720] kernel_init+0xe/0x110 [ 43.655720] ret_from_fork+0x24/0x50 Fixes: 8af46c784ecfe (“iommu/vt-d: Implement is_attach_deferred iommu ops entry”) Cc: [email protected] # v5.3+ Signed-off-by: John Donnelly Reviewed-by: Lu Baolu Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 992e5ec5eabf2e38c666ab95bf266c4caa554885 Author: Jens Axboe Date: Wed Oct 30 13:53:09 2019 -0600 io_uring: ensure we clear io_kiocb->result before each issue commit 6873e0bd6a9cb14ecfadd89d9ed9698ff1761902 upstream. We use io_kiocb->result == -EAGAIN as a way to know if we need to re-submit a polled request, as -EAGAIN reporting happens out-of-line for IO submission failures. This field is cleared when we originally allocate the request, but it isn’t reset when we retry the submission from async context. This can cause issues where we think something needs a re-issue, but we’re really just reading stale data. Reset ->result whenever we re-prep a request for polled submission. Cc: [email protected] Fixes: 9e645e1105ca (“io_uring: add support for sqe links”) Reported-by: Bijan Mottahedeh Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit b60ec67f67f6cb034a1b8ee00573c6edd7f153a7 Author: Trond Myklebust Date: Thu Oct 31 18:40:33 2019 -0400 NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() commit 79cc55422ce99be5964bde208ba8557174720893 upstream. A typo in nfs4_refresh_delegation_stateid() means we’re leaking an RCU lock, and always returning a value of ‘false’. As the function description states, we were always supposed to return ‘true’ if a matching delegation was found. Fixes: 12f275cdd163 (“NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID.”) Cc: [email protected] # v4.15+ Signed-off-by: Trond Myklebust Signed-off-by: Anna Schumaker Signed-off-by: Greg Kroah-Hartman commit 0ca43e1bc7b04c15eaa32ee19dadae2005abc68b Author: chen gong Date: Wed Oct 23 13:54:32 2019 +0800 drm/amdgpu: Fix SDMA hang when performing VKexample test commit e5574f61e9d8274c49e9a5d943abde8e938d57e1 upstream. VKexample test hang during Occlusion/SDMA/Varia runs. Clear XNACK_WATERMK in reg SDMA0_UTCL1_WATERMK to fix this issue. Signed-off-by: chen gong Reviewed-by: Aaron Liu Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 99c996d426dc9905af1f3af7f03b5a70abd9d83f Author: Pelle van Gils Date: Thu Oct 24 16:04:31 2019 +0200 drm/amdgpu/powerplay/vega10: allow undervolting in p7 commit e6f4e274c1e52d1f0bfe293fb44ddf59de6c0374 upstream. The vega10_odn_update_soc_table() function does not allow the SCLK dependent voltage to be set for power-state 7 to a value below the default in pptable. Change the for-loop condition to allow undervolting in the highest state. Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205277 Signed-off-by: Pelle van Gils Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 6a9318cdacb94097cb7801ec229c5798ae053d55 Author: Tianci.Yin Date: Thu Oct 24 18:03:17 2019 +0800 drm/amdgpu/gfx10: update gfx golden settings commit f52ebe1f888dfae68d7cffabf5ac898f8cb64fb3 upstream. update registers: mmCGTT_SPI_CLK_CTRL Reviewed-by: Feifei Xu Signed-off-by: Tianci.Yin Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit 408ed01fbdd26054015530f2bf95635ca6f7ba4b Author: Ville Syrjälä Date: Tue Oct 22 21:56:43 2019 +0300 drm/i915: Fix PCH reference clock for FDI on HSW/BDW commit 59cd826fb5e7889515bf5771e295e0624c348571 upstream. The change to skip the PCH reference initialization during fastboot did end up breaking FDI. To fix that let’s try to do the PCH reference init whenever we’re disabling a DPLL that was using said reference previously. Cc: [email protected] Tested-by: Andrija Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=112084 Fixes: b16c7ed95caf (“drm/i915: Do not touch the PCH SSC reference if a PLL is using it”) Signed-off-by: Ville Syrjälä Link: https://patchwork.freedesktop.org/patch/msgid/[email protected] Reviewed-by: Imre Deak (cherry picked from commit dd5279c71405533d4ddbb9453effc60f0f5bf211) Signed-off-by: Rodrigo Vivi Signed-off-by: Greg Kroah-Hartman commit db5b7300c4f83cb77326454da32eb5cf6d65bc80 Author: Alex Deucher Date: Tue Oct 29 17:14:15 2019 -0400 drm/amdgpu/gmc10: properly set BANK_SELECT and FRAGMENT_SIZE commit 30ef5c7eaba0ddafc6c23eca65ebe52169dfcc60 upstream. These were not aligned for optimal performance for GPUVM. Acked-by: Christian König Reviewed-by: Tianci Yin Signed-off-by: Alex Deucher Cc: [email protected] Signed-off-by: Greg Kroah-Hartman commit a7c2d0788d5948e9364422821bbaeb050fd3950a Author: Tony Lindgren Date: Wed Oct 23 08:31:38 2019 -0700 dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle commit bacdcb6675e170bb2e8d3824da220e10274f42a7 upstream. Yegor Yefremov reported that musb and ftdi uart can fail for the first open of the uart unless connected using a hub. This is because the first dma call done by musb_ep_program() must wait if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues with other non-dma packets before the DMA transfer is started causing at least ftdi uarts to fail to receive data. Let’s fix the issue by waking up cppi41 with PM runtime calls added to cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we have musb_ep_program() continue with PIO until cppi41 is awake. Fixes: fdea2d09b997 (“dmaengine: cppi41: Add basic PM runtime support”) Reported-by: Yegor Yefremov Signed-off-by: Tony Lindgren Cc: [email protected] # v4.9+ Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 8c92d3fb7b6f29d6df3709cca65f137a7eb59bbe Author: Robin Gong Date: Tue Sep 24 09:49:18 2019 +0000 dmaengine: imx-sdma: fix size check for sdma script_number commit bd73dfabdda280fc5f05bdec79b6721b4b2f035f upstream. Illegal memory will be touch if SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V3 (41) exceed the size of structure sdma_script_start_addrs(40), thus cause memory corrupt such as slob block header so that kernel trap into while() loop forever in slob_free(). Please refer to below code piece in imx-sdma.c: for (i = 0; i < sdma->script_number; i++) if (addr_arr[i] > 0) saddr_arr[i] = addr_arr[i]; /* memory corrupt here */ That issue was brought by commit a572460be9cf (“dmaengine: imx-sdma: Add support for version 3 firmware”) because SDMA_SCRIPT_ADDRS_ARRAY_SIZE_V3 (38->41 3 scripts added) not align with script number added in sdma_script_start_addrs(2 scripts). Fixes: a572460be9cf (“dmaengine: imx-sdma: Add support for version 3 firmware”) Cc: [email protected] Link: https://www.spinics.net/lists/arm-kernel/msg754895.html Signed-off-by: Robin Gong Reported-by: Jurgen Lambrecht Link: https://lore.kernel.org/r/[email protected] [vkoul: update the patch title] Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit c4c84d41bb2fdb73bed1ff6e69772f7577489e64 Author: Sameer Pujar Date: Mon Sep 16 15:05:13 2019 +0530 dmaengine: tegra210-adma: fix transfer failure commit 9ec691f48b5ef741a48af8932ccaec859c67e8f1 upstream. >From Tegra186 onwards OUTSTANDING_REQUESTS field is added in channel configuration register(bits 7:4) which defines the maximum number of reads from the source and writes to the destination that may be outstanding at any given point of time. This field must be programmed with a value between 1 and 8. A value of 0 will prevent any transfers from happening. Thus added ‘has_outstanding_reqs’ bool member in chip data structure and is set to false for Tegra210, since the field is not applicable. For Tegra186 it is set to true and channel configuration is updated with maximum outstanding requests. Fixes: 433de642a76c (“dmaengine: tegra210-adma: add support for Tegra186/Tegra194”) Cc: [email protected] Signed-off-by: Sameer Pujar Acked-by: Jon Hunter Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit f02f7c4ffef07cb91eb987c55c0be160807ca49f Author: Jeffrey Hugo Date: Thu Oct 17 08:26:06 2019 -0700 dmaengine: qcom: bam_dma: Fix resource leak commit 7667819385457b4aeb5fac94f67f52ab52cc10d5 upstream. bam_dma_terminate_all() will leak resources if any of the transactions are committed to the hardware (present in the desc fifo), and not complete. Since bam_dma_terminate_all() does not cause the hardware to be updated, the hardware will still operate on any previously committed transactions. This can cause memory corruption if the memory for the transaction has been reassigned, and will cause a sync issue between the BAM and its client(s). Fix this by properly updating the hardware in bam_dma_terminate_all(). Fixes: e7c0fe2a5c84 (“dmaengine: add Qualcomm BAM dma driver”) Signed-off-by: Jeffrey Hugo Cc: [email protected] Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Vinod Koul Signed-off-by: Greg Kroah-Hartman commit 867b353fb148a02c5a46fbd6e78a23f26aa939ab Author: Paolo Bonzini Date: Sun Oct 27 16:23:23 2019 +0100 KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active commit 9167ab79936206118cc60e47dcb926c3489f3bd5 upstream. VMX already does so if the host has SMEP, in order to support the combination of CR0.WP=1 and CR4.SMEP=1. However, it is perfectly safe to always do so, and in fact VMX already ends up running with EFER.NXE=1 on old processors that lack the “load EFER” controls, because it may help avoiding a slow MSR write. Removing all the conditionals simplifies the code. SVM does not have similar code, but it should since recent AMD processors do support SMEP. So this patch also makes the code for the two vendors more similar while fixing NPT=0, CR0.WP=1 and CR4.SMEP=1 on AMD processors. Cc: [email protected] Cc: Joerg Roedel Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman commit c1b81d88fae832f985473451949b2f05338c3109 Author: Laura Abbott Date: Fri Oct 18 07:43:21 2019 -0400 rtlwifi: Fix potential overflow on P2P code commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream. Nicolas Waisman noticed that even though noa_len is checked for a compatible length it’s still possible to overrun the buffers of p2pinfo since there’s no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM. Reported-by: Nicolas Waisman Signed-off-by: Laura Abbott Acked-by: Ping-Ke Shih Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 14959b02cfb54382b9a187f85d02847ba0f3d0be Author: Larry Finger Date: Sun Oct 20 19:56:58 2019 -0500 rtlwifi: rtl_pci: Fix problem of too small skb->len commit b43f4a169f220e459edf3ea8f8cd3ec4ae7fa82d upstream. In commit 8020919a9b99 (“mac80211: Properly handle SKB with radiotap only”), buffers whose length is too short cause a WARN_ON(1) to be executed. This change exposed a fault in rtlwifi drivers, which is fixed by regarding packets with skb->len <= FCS_LEN as though they are in error and dropping them. The test is now annotated as likely. Cc: Stable # v5.0+ Signed-off-by: Larry Finger Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 713df057a5152921b5899bed0b3aa4b4765ff6fa Author: Marvin Liu Date: Tue Oct 22 01:10:04 2019 +0800 virtio_ring: fix stalls for packed rings commit 40ce7919d8730f5936da2bc8a21b46bd07db6411 upstream. When VIRTIO_F_RING_EVENT_IDX is negotiated, virtio devices can use virtqueue_enable_cb_delayed_packed to reduce the number of device interrupts. At the moment, this is the case for virtio-net when the napi_tx module parameter is set to false. In this case, the virtio driver selects an event offset and expects that the device will send a notification when rolling over the event offset in the ring. However, if this roll-over happens before the event suppression structure update, the notification won’t be sent. To address this race condition the driver needs to check wether the device rolled over the offset after updating the event suppression structure. With VIRTIO_F_RING_PACKED, the virtio driver did this by reading the flags field of the descriptor at the specified offset. Unfortunately, checking at the event offset isn’t reliable: if descriptors are chained (e.g. when INDIRECT is off) not all descriptors are overwritten by the device, so it’s possible that the device skipped the specific descriptor driver is checking when writing out used descriptors. If this happens, the driver won’t detect the race condition and will incorrectly expect the device to send a notification. For virtio-net, the result will be a TX queue stall, with the transmission getting blocked forever. With the packed ring, it isn’t easy to find a location which is guaranteed to change upon the roll-over, except the next device descriptor, as described in the spec: Writes of device and driver descriptors can generally be reordered, but each side (driver and device) are only required to poll (or test) a single location in memory: the next device descriptor after the one they processed previously, in circular order. while this might be sub-optimal, let’s do exactly this for now. Cc: [email protected] Cc: Jason Wang Fixes: f51f982682e2a (“virtio_ring: leverage event idx in packed ring”) Signed-off-by: Marvin Liu Signed-off-by: Michael S. Tsirkin Signed-off-by: Greg Kroah-Hartman commit 90f6683d0e0d999f7d913f6a85c713b3af34d672 Author: Bjorn Andersson Date: Tue Oct 29 10:15:39 2019 -0700 arm64: cpufeature: Enable Qualcomm Falkor/Kryo errata 1003 commit d4af3c4b81f4cd5662baa6f1492f998d89783318 upstream. With the introduction of ‘cce360b54ce6 (“arm64: capabilities: Filter the entries based on a given mask”)' the Qualcomm Falkor/Kryo errata 1003 is no long applied. The result of not applying errata 1003 is that MSM8996 runs into various RCU stalls and fails to boot most of the times. Give 1003 a “type” to ensure they are not filtered out in update_cpu_capabilities(). Fixes: cce360b54ce6 (“arm64: capabilities: Filter the entries based on a given mask”) Cc: [email protected] Reported-by: Mark Brown Suggested-by: Will Deacon Signed-off-by: Bjorn Andersson Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit 25361de050c8d8152c625b9fdc0add688e2e53df Author: Catalin Marinas Date: Tue Oct 29 15:30:51 2019 +0000 arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default commit aa57157be69fb599bd4c38a4b75c5aad74a60ec0 upstream. Shared and writable mappings (__S.1.) should be clean (!dirty) initially and made dirty on a subsequent write either through the hardware DBM (dirty bit management) mechanism or through a write page fault. A clean pte for the arm64 kernel is one that has PTE_RDONLY set and PTE_DIRTY clear. The PAGE_SHARED{,_EXEC} attributes have PTE_WRITE set (PTE_DBM) and PTE_DIRTY clear. Prior to commit 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()"), it was the responsibility of set_pte_at() to set the PTE_RDONLY bit and mark the pte clean if the software PTE_DIRTY bit was not set. However, the above commit removed the pte_sw_dirty() check and the subsequent setting of PTE_RDONLY in set_pte_at() while leaving the PAGE_SHARED{,_EXEC} definitions unchanged. The result is that shared+writable mappings are now dirty by default Fix the above by explicitly setting PTE_RDONLY in PAGE_SHARED{,_EXEC}. In addition, remove the superfluous PTE_DIRTY bit from the kernel PROT_* attributes. Fixes: 73e86cb03cf2 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()") Cc: # 4.14.x- Cc: Will Deacon Signed-off-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Greg Kroah-Hartman commit d6c62c06ad5dbe6d8bbbb2862bf26da057d8e49e Author: Kaike Wan Date: Fri Oct 4 16:40:35 2019 -0400 IB/hfi1: Avoid excessive retry for TID RDMA READ request commit 9ed5bd7d22241ad232fd3a5be404e83eb6cadc04 upstream. A TID RDMA READ request could be retried under one of the following conditions: - The RC retry timer expires; - A later TID RDMA READ RESP packet is received before the next expected one. For the latter, under normal conditions, the PSN in IB space is used for comparison. More specifically, the IB PSN in the incoming TID RDMA READ RESP packet is compared with the last IB PSN of a given TID RDMA READ request to determine if the request should be retried. This is similar to the retry logic for noraml RDMA READ request. However, if a TID RDMA READ RESP packet is lost due to congestion, header suppresion will be disabled and each incoming packet will raise an interrupt until the hardware flow is reloaded. Under this condition, each packet KDETH PSN will be checked by software against r_next_psn and a retry will be requested if the packet KDETH PSN is later than r_next_psn. Since each TID RDMA READ segment could have up to 64 packets and each TID RDMA READ request could have many segments, we could make far more retries under such conditions, and thus leading to RETRY_EXC_ERR status. This patch fixes the issue by removing the retry when the incoming packet KDETH PSN is later than r_next_psn. Instead, it resorts to RC timer and normal IB PSN comparison for any request retry. Fixes: 9905bf06e890 (“IB/hfi1: Add functions to receive TID RDMA READ response”) Cc: Reviewed-by: Mike Marciniszyn Signed-off-by: Kaike Wan Signed-off-by: Dennis Dalessandro Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Doug Ledford Signed-off-by: Greg Kroah-Hartman commit 35f23629cb81b437a7e59a5f6acd6880ddc12e65 Author: Alexey Brodkin Date: Tue Oct 22 17:04:11 2019 +0300 ARC: perf: Accommodate big-endian CPU commit 5effc09c4907901f0e71e68e5f2e14211d9a203f upstream. 8-letter strings representing ARC perf events are stores in two 32-bit registers as ASCII characters like that: "IJMP", "IALL", “IJMPTAK” etc. And the same order of bytes in the word is used regardless CPU endianness. Which means in case of big-endian CPU core we need to swap bytes to get the same order as if it was on little-endian CPU. Otherwise we’re seeing the following error message on boot: ------------------------->8---------------------- ARC perf : 8 counters (32 bits), 40 conditions, [overflow IRQ support] sysfs: cannot create duplicate filename ‘/devices/arc_pct/events/pmji’ CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3 Stack Trace: arc_unwind_core+0xd4/0xfc dump_stack+0x64/0x80 sysfs_warn_dup+0x46/0x58 sysfs_add_file_mode_ns+0xb2/0x168 create_files+0x70/0x2a0 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1 at kernel/events/core.c:12144 perf_event_sysfs_init+0x70/0xa0 Failed to register pmu: arc_pct, reason -17 Modules linked in: CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.2.18 #3 Stack Trace: arc_unwind_core+0xd4/0xfc dump_stack+0x64/0x80 __warn+0x9c/0xd4 warn_slowpath_fmt+0x22/0x2c perf_event_sysfs_init+0x70/0xa0 —[ end trace a75fb9a9837bd1ec ]— ------------------------->8---------------------- What happens here we’re trying to register more than one raw perf event with the same name "PMJI". Why? Because ARC perf events are 4 to 8 letters and encoded into two 32-bit words. In this particular case we deal with 2 events: * “IJMP____” which counts all jump & branch instructions * “IJMPC___” which counts only conditional jumps & branches Those strings are split in two 32-bit words this way “IJMP” + “____” & “IJMP” + “C___” correspondingly. Now if we read them swapped due to CPU core being big-endian then we read “PMJI” + “____” & “PMJI” + "___C". And since we interpret read array of ASCII letters as a null-terminated string on big-endian CPU we end up with 2 events of the same name "PMJI". Signed-off-by: Alexey Brodkin Cc: [email protected] Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman commit 2446dab1502eeb5e096a1c767794e9ae6087ec9c Author: Heiko Carstens Date: Mon Oct 28 11:03:27 2019 +0100 s390/idle: fix cpu idle time calculation commit 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f upstream. The idle time reported in /proc/stat sometimes incorrectly contains huge values on s390. This is caused by a bug in arch_cpu_idle_time(). The kernel tries to figure out when a different cpu entered idle by accessing its per-cpu data structure. There is an ordering problem: if the remote cpu has an idle_enter value which is not zero, and an idle_exit value which is zero, it is assumed it is idle since “now". The “now” timestamp however is taken before the idle_enter value is read. Which in turn means that “now” can be smaller than idle_enter of the remote cpu. Unconditionally subtracting idle_enter from “now” can thus lead to a negative value (aka large unsigned value). Fix this by moving the get_tod_clock() invocation out of the loop. While at it also make the code a bit more readable. A similar bug also exists for show_idle_time(). Fix this is as well. Cc: Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 00ede847a68324b543d1677b86614f9ae1e7f424 Author: Yihui ZENG Date: Fri Oct 25 12:31:48 2019 +0300 s390/cmm: fix information leak in cmm_timeout_handler() commit b8e51a6a9db94bc1fb18ae831b3dab106b5a4b5f upstream. The problem is that we were putting the NUL terminator too far: buf[sizeof(buf) - 1] = '\0’; If the user input isn’t NUL terminated and they haven’t initialized the whole buffer then it leads to an info leak. The NUL terminator should be: buf[len - 1] = '\0’; Signed-off-by: Yihui Zeng Cc: [email protected] Signed-off-by: Dan Carpenter [[email protected]: keep semantics of how *lenp and *ppos are handled] Signed-off-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit b180b41bb01df39a49da28deae4a66888e554f77 Author: Ilya Leoshkevich Date: Wed Oct 2 13:29:57 2019 +0200 s390/unwind: fix mixing regs and sp commit a1d863ac3e1085e1fea9caafd87252d08731de2e upstream. unwind_for_each_frame stops after the first frame if regs->gprs[15] <= sp. The reason is that in case regs are specified, the first frame should be regs->psw.addr and the second frame should be sp->gprs[8]. However, currently the second frame is regs->gprs[15], which confuses outside_of_stack(). Fix by introducing a flag to distinguish this special case from unwinding the interrupt handler, for which the current behavior is appropriate. Fixes: 78c98f907413 (“s390/unwind: introduce stack unwind API”) Signed-off-by: Ilya Leoshkevich Cc: [email protected] # v5.2+ Reviewed-by: Heiko Carstens Signed-off-by: Vasily Gorbik Signed-off-by: Greg Kroah-Hartman commit 6a85f952934bc8f155636c5ce3c1257182d9c535 Author: Anton Ivanov Date: Tue Oct 29 09:13:34 2019 +0000 um-ubd: Entrust re-queue to the upper layers commit d848074b2f1eb11a38691285f7366bce83087014 upstream. Fixes crashes due to ubd requeue logic conflicting with the block-mq logic. Crash is reproducible in 5.0 - 5.3. Fixes: 53766defb8c8 (“um: Clean-up command processing in UML UBD driver”) Cc: [email protected] # v5.0+ Signed-off-by: Anton Ivanov Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 77f01a64c30daa0de35d83310630860316363c6d Author: Andrey Smirnov Date: Thu Oct 17 21:45:17 2019 -0700 HID: logitech-hidpp: do all FF cleanup in hidpp_ff_destroy() commit 08c453f6d073f069cf8e30e03cd3c16262c9b953 upstream. All of the FF-related resources belong to corresponding FF device, so they should be freed as a part of hidpp_ff_destroy() to avoid potential race condidions. Fixes: ff21a635dd1a (“HID: logitech-hidpp: Force feedback support for the Logitech G920”) Suggested-by: Benjamin Tissoires Signed-off-by: Andrey Smirnov Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: Henrik Rydberg Cc: Pierre-Loup A. Griffais Cc: Austin Palmer Cc: [email protected] Cc: [email protected] Cc: [email protected] # 5.2+ Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit a8a6c2e9d4f19dd907c812e401dd4b0b1b8b146d Author: Andrey Smirnov Date: Thu Oct 17 21:45:16 2019 -0700 HID: logitech-hidpp: rework device validation commit 905d754c53a522aacf806ea1d3e7c929148c1910 upstream. G920 device only advertises REPORT_ID_HIDPP_LONG and REPORT_ID_HIDPP_VERY_LONG in its HID report descriptor, so querying for REPORT_ID_HIDPP_SHORT with optional=false will always fail and prevent G920 to be recognized as a valid HID++ device. To fix this and improve some other aspects, modify hidpp_validate_device() as follows: - Inline the code of hidpp_validate_report() to simplify distingushing between non-present and invalid report descriptors - Drop the check for id >= HID_MAX_IDS || id < 0 since all of our IDs are static and known to satisfy that at compile time - Change the algorithms to check all possible report types (including very long report) and deem the device as a valid HID++ device if it supports at least one - Treat invalid report length as a hard stop for the validation algorithm, meaning that if any of the supported reports has invalid length we assume the worst and treat the device as a generic HID device. - Fold initialization of hidpp->very_long_report_length into hidpp_validate_device() since it already fetches very long report length and validates its value Fixes: fe3ee1ec007b (“HID: logitech-hidpp: allow non HID++ devices to be handled by this module”) Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=204191 Reported-by: Sam Bazely Signed-off-by: Andrey Smirnov Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: Henrik Rydberg Cc: Pierre-Loup A. Griffais Cc: Austin Palmer Cc: [email protected] Cc: [email protected] Cc: [email protected] # 5.2+ Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 5f7fd3576cf30d502a8b2aec4e7a49c4f894e253 Author: Andrey Smirnov Date: Thu Oct 17 21:45:15 2019 -0700 HID: logitech-hidpp: split g920_get_config() commit abdd3d0b344fdf72a4904d09b97bc964d74c4419 upstream. Original version of g920_get_config() contained two kind of actions: 1. Device specific communication to query/set some parameters which requires active communication channel with the device, or, put in other way, for the call to be sandwiched between hid_device_io_start() and hid_device_io_stop(). 2. Input subsystem specific FF controller initialization which, in order to access a valid ‘struct hid_input’ via 'hid->inputs.next’, requires claimed hidinput which means be executed after the call to hid_hw_start() with connect_mask containing HID_CONNECT_HIDINPUT. Location of g920_get_config() can only fulfill requirements for #1 and not #2, which might result in following backtrace: [ 88.312258] logitech-hidpp-device 0003:046D:C262.0005: HID++ 4.2 device connected. [ 88.320298] BUG: kernel NULL pointer dereference, address: 0000000000000018 [ 88.320304] #PF: supervisor read access in kernel mode [ 88.320307] #PF: error_code(0x0000) - not-present page [ 88.320309] PGD 0 P4D 0 [ 88.320315] Oops: 0000 [#1] SMP PTI [ 88.320320] CPU: 1 PID: 3080 Comm: systemd-udevd Not tainted 5.4.0-rc1+ #31 [ 88.320322] Hardware name: Apple Inc. MacBookPro11,1/Mac-189A3D4F975D5FFC, BIOS 149.0.0.0.0 09/17/2018 [ 88.320334] RIP: 0010:hidpp_probe+0x61f/0x948 [hid_logitech_hidpp] [ 88.320338] Code: 81 00 00 48 89 ef e8 f0 d6 ff ff 41 89 c6 85 c0 75 b5 0f b6 44 24 28 48 8b 5d 00 88 44 24 1e 89 44 24 0c 48 8b 83 18 1c 00 00 <48> 8b 48 18 48 8b 83 10 19 00 00 48 8b 40 40 48 89 0c 24 0f b7 80 [ 88.320341] RSP: 0018:ffffb0a6824aba68 EFLAGS: 00010246 [ 88.320345] RAX: 0000000000000000 RBX: ffff93a50756e000 RCX: 0000000000010408 [ 88.320347] RDX: 0000000000000000 RSI: ffff93a51f0ad0a0 RDI: 000000000002d0a0 [ 88.320350] RBP: ffff93a50416da28 R08: ffff93a50416da70 R09: ffff93a50416da70 [ 88.320352] R10: 000000148ae9e60c R11: 00000000000f1525 R12: ffff93a50756e000 [ 88.320354] R13: ffff93a50756f8d0 R14: 0000000000000000 R15: ffff93a50756fc38 [ 88.320358] FS: 00007f8d8c1e0940(0000) GS:ffff93a51f080000(0000) knlGS:0000000000000000 [ 88.320361] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.320363] CR2: 0000000000000018 CR3: 00000003996d8003 CR4: 00000000001606e0 [ 88.320366] Call Trace: [ 88.320377] ? _cond_resched+0x15/0x30 [ 88.320387] ? create_pinctrl+0x2f/0x3c0 [ 88.320393] ? kernfs_link_sibling+0x94/0xe0 [ 88.320398] ? _cond_resched+0x15/0x30 [ 88.320402] ? kernfs_activate+0x5f/0x80 [ 88.320406] ? kernfs_add_one+0xe2/0x130 [ 88.320411] hid_device_probe+0x106/0x170 [ 88.320419] really_probe+0x147/0x3c0 [ 88.320424] driver_probe_device+0xb6/0x100 [ 88.320428] device_driver_attach+0x53/0x60 [ 88.320433] __driver_attach+0x8a/0x150 [ 88.320437] ? device_driver_attach+0x60/0x60 [ 88.320440] bus_for_each_dev+0x78/0xc0 [ 88.320445] bus_add_driver+0x14d/0x1f0 [ 88.320450] driver_register+0x6c/0xc0 [ 88.320453] ? 0xffffffffc0d67000 [ 88.320457] __hid_register_driver+0x4c/0x80 [ 88.320464] do_one_initcall+0x46/0x1f4 [ 88.320469] ? _cond_resched+0x15/0x30 [ 88.320474] ? kmem_cache_alloc_trace+0x162/0x220 [ 88.320481] ? do_init_module+0x23/0x230 [ 88.320486] do_init_module+0x5c/0x230 [ 88.320491] load_module+0x26e1/0x2990 [ 88.320502] ? ima_post_read_file+0xf0/0x100 [ 88.320508] ? __do_sys_finit_module+0xaa/0x110 [ 88.320512] __do_sys_finit_module+0xaa/0x110 [ 88.320520] do_syscall_64+0x5b/0x180 [ 88.320525] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 88.320528] RIP: 0033:0x7f8d8d1f01fd [ 88.320532] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 5b 8c 0c 00 f7 d8 64 89 01 48 [ 88.320535] RSP: 002b:00007ffefa3bb068 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 88.320539] RAX: ffffffffffffffda RBX: 000055922040cb40 RCX: 00007f8d8d1f01fd [ 88.320541] RDX: 0000000000000000 RSI: 00007f8d8ce4984d RDI: 0000000000000006 [ 88.320543] RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000007 [ 88.320545] R10: 0000000000000006 R11: 0000000000000246 R12: 00007f8d8ce4984d [ 88.320547] R13: 0000000000000000 R14: 000055922040efc0 R15: 000055922040cb40 [ 88.320551] Modules linked in: hid_logitech_hidpp(+) fuse rfcomm ccm xt_CHECKSUM xt_MASQUERADE bridge stp llc nf_nat_tftp nf_conntrack_tftp nf_conntrack_netbios_ns nf_conntrack_broadcast xt_CT ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 xt_conntrack ebtable_nat ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat tun iptable_mangle iptable_raw iptable_security nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c ip_set nfnetlink ebtable_filter ebtables ip6table_filter ip6_tables cmac bnep sunrpc dm_crypt nls_utf8 hfsplus intel_rapl_msr intel_rapl_common ath9k_htc ath9k_common x86_pkg_temp_thermal intel_powerclamp b43 ath9k_hw coretemp snd_hda_codec_hdmi cordic kvm_intel snd_hda_codec_cirrus mac80211 snd_hda_codec_generic ledtrig_audio kvm snd_hda_intel snd_intel_nhlt irqbypass snd_hda_codec btusb btrtl snd_hda_core ath btbcm ssb snd_hwdep btintel snd_seq crct10dif_pclmul iTCO_wdt snd_seq_device crc32_pclmul bluetooth mmc_core iTCO_vendor_support joydev cfg80211 [ 88.320602] applesmc ghash_clmulni_intel ecdh_generic snd_pcm input_polldev intel_cstate ecc intel_uncore thunderbolt snd_timer i2c_i801 libarc4 rfkill intel_rapl_perf lpc_ich mei_me pcspkr bcm5974 snd bcma mei soundcore acpi_als sbs kfifo_buf sbshc industrialio apple_bl i915 i2c_algo_bit drm_kms_helper drm uas crc32c_intel usb_storage video hid_apple [ 88.320630] CR2: 0000000000000018 [ 88.320633] —[ end trace 933491c8a4fadeb7 ]— [ 88.320642] RIP: 0010:hidpp_probe+0x61f/0x948 [hid_logitech_hidpp] [ 88.320645] Code: 81 00 00 48 89 ef e8 f0 d6 ff ff 41 89 c6 85 c0 75 b5 0f b6 44 24 28 48 8b 5d 00 88 44 24 1e 89 44 24 0c 48 8b 83 18 1c 00 00 <48> 8b 48 18 48 8b 83 10 19 00 00 48 8b 40 40 48 89 0c 24 0f b7 80 [ 88.320647] RSP: 0018:ffffb0a6824aba68 EFLAGS: 00010246 [ 88.320650] RAX: 0000000000000000 RBX: ffff93a50756e000 RCX: 0000000000010408 [ 88.320652] RDX: 0000000000000000 RSI: ffff93a51f0ad0a0 RDI: 000000000002d0a0 [ 88.320655] RBP: ffff93a50416da28 R08: ffff93a50416da70 R09: ffff93a50416da70 [ 88.320657] R10: 000000148ae9e60c R11: 00000000000f1525 R12: ffff93a50756e000 [ 88.320659] R13: ffff93a50756f8d0 R14: 0000000000000000 R15: ffff93a50756fc38 [ 88.320662] FS: 00007f8d8c1e0940(0000) GS:ffff93a51f080000(0000) knlGS:0000000000000000 [ 88.320664] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 88.320667] CR2: 0000000000000018 CR3: 00000003996d8003 CR4: 00000000001606e0 To solve this issue: 1. Split g920_get_config() such that all of the device specific communication remains a part of the function and input subsystem initialization bits go to hidpp_ff_init() 2. Move call to hidpp_ff_init() from being a part of g920_get_config() to be the last step of .probe(), right after a call to hid_hw_start() with connect_mask containing HID_CONNECT_HIDINPUT. Fixes: 91cf9a98ae41 (“HID: logitech-hidpp: make .probe usbhid capable”) Signed-off-by: Andrey Smirnov Tested-by: Sam Bazley Cc: Jiri Kosina Cc: Benjamin Tissoires Cc: Henrik Rydberg Cc: Pierre-Loup A. Griffais Cc: Austin Palmer Cc: [email protected] Cc: [email protected] Cc: [email protected] # 5.2+ Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit b2430ddbbb11bd6356865702d28fab488a751803 Author: Michał Mirosław Date: Fri Aug 23 21:15:27 2019 +0200 HID: fix error message in hid_open_report() commit b3a81c777dcb093020680490ab970d85e2f6f04f upstream. On HID report descriptor parsing error the code displays bogus pointer instead of error offset (subtracts start=NULL from end). Make the message more useful by displaying correct error offset and include total buffer size for reference. This was carried over from ancient times - “Fixed” commit just promoted the message from DEBUG to ERROR. Cc: [email protected] Fixes: 8c3d52fc393b (“HID: make parser more verbose about parsing errors by default”) Signed-off-by: Michał Mirosław Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 40122a5d25bb7cf21eb8c08cea366e309214b5f7 Author: Alan Stern Date: Thu Oct 3 14:53:59 2019 -0400 HID: Fix assumption that devices have inputs commit d9d4b1e46d9543a82c23f6df03f4ad697dab361b upstream. The syzbot fuzzer found a slab-out-of-bounds write bug in the hid-gaff driver. The problem is caused by the driver’s assumption that the device must have an input report. While this will be true for all normal HID input devices, a suitably malicious device can violate the assumption. The same assumption is present in over a dozen other HID drivers. This patch fixes them by checking that the list of hid_inputs for the hid_device is nonempty before allowing it to be used. Reported-and-tested-by: [email protected] Signed-off-by: Alan Stern CC: Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 96a34a445b7db7293f54b183366347219ab51639 Author: Hans de Goede Date: Mon Oct 7 20:56:26 2019 +0200 HID: i2c-hid: add Trekstor Primebook C11B to descriptor override commit 09f3dbe474735df13dd8a66d3d1231048d9b373f upstream. The Primebook C11B uses the SIPODEV SP1064 touchpad. There are 2 versions of this 2-in-1 and the touchpad in the older version does not supply descriptors, so it has to be added to the override list. Cc: [email protected] Signed-off-by: Hans de Goede Signed-off-by: Benjamin Tissoires Signed-off-by: Greg Kroah-Hartman commit 5c0dba132351c2bf85c3846e117b4efdae903d53 Author: Bart Van Assche Date: Wed Oct 23 13:21:50 2019 -0700 scsi: target: cxgbit: Fix cxgbit_fw4_ack() commit fc5b220b2dcf8b512d9bd46fd17f82257e49bf89 upstream. Use the pointer ‘p’ after having tested that pointer instead of before. Fixes: 5cadafb236df (“target/cxgbit: Fix endianness annotations”) Cc: Varun Prakash Cc: Nicholas Bellinger Cc: Link: https://lore.kernel.org/r/[email protected] Reported-by: Dan Carpenter Signed-off-by: Bart Van Assche Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 03b5e0b410311c43c3f650d4e279d810f313414c Author: Quinn Tran Date: Tue Oct 22 12:36:43 2019 -0700 scsi: qla2xxx: Fix partial flash write of MBI commit 8d8b83f5be2a3bdac3695a94e6cb5e50bd114869 upstream. For new adapters with multiple flash regions to write to, current code allows FW & Boot regions to be written, while other regions are blocked via sysfs. The fix is to block all flash read/write through sysfs interface. Fixes: e81d1bcbde06 (“scsi: qla2xxx: Further limit FLASH region write access from SysFS”) Cc: [email protected] # 5.2 Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Quinn Tran Signed-off-by: Girish Basrur Signed-off-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Greg Kroah-Hartman commit 406de5141bb4e5cc322d793f4da9179de364fef6 Author: Mathias Nyman Date: Fri Oct 25 17:30:27 2019 +0300 xhci: Fix use-after-free regression in xhci clear hub TT implementation commit 18b74067ac78a2dea65783314c13df98a53d071c upstream. commit ef513be0a905 (“usb: xhci: Add Clear_TT_Buffer”) schedules work to clear TT buffer, but causes a use-after-free regression at the same time Make sure hub_tt_work finishes before endpoint is disabled, otherwise the work will dereference already freed endpoint and device related pointers. This was triggered when usb core failed to read the configuration descriptor of a FS/LS device during enumeration. xhci driver queued clear_tt_work while usb core freed and reallocated a new device for the next enumeration attempt. EHCI driver implents ehci_endpoint_disable() that makes sure clear_tt_work has finished before it returns, but xhci lacks this support. usb core will call hcd->driver->endpoint_disable() callback before disabling endpoints, so we want this in xhci as well. The added xhci_endpoint_disable() is based on ehci_endpoint_disable() Fixes: ef513be0a905 (“usb: xhci: Add Clear_TT_Buffer”) Cc: # v5.3 Reported-by: Johan Hovold Suggested-by: Johan Hovold Reviewed-by: Johan Hovold Tested-by: Johan Hovold Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 616bc303be172822401e0d2664f55148c56a10b8 Author: Johan Hovold Date: Tue Oct 29 11:23:54 2019 +0100 USB: serial: whiteheat: fix line-speed endianness commit 84968291d7924261c6a0624b9a72f952398e258b upstream. Add missing endianness conversion when setting the line speed so that this driver might work also on big-endian machines. Also use an unsigned format specifier in the corresponding debug message. Signed-off-by: Johan Hovold Cc: stable Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 1ebf7324946443fb151e1190617959147ec28b6c Author: Johan Hovold Date: Tue Oct 29 11:23:53 2019 +0100 USB: serial: whiteheat: fix potential slab corruption commit 1251dab9e0a2c4d0d2d48370ba5baa095a5e8774 upstream. Fix a user-controlled slab buffer overflow due to a missing sanity check on the bulk-out transfer buffer used for control requests. Fixes: 1da177e4c3f4 (“Linux-2.6.12-rc2”) Cc: stable Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 8a4ceabd78ad82b2471ae40ac67226d409ee7de7 Author: Ben Dooks (Codethink) Date: Fri Oct 25 17:30:29 2019 +0300 usb: xhci: fix __le32/__le64 accessors in debugfs code commit d5501d5c29a2e684640507cfee428178d6fd82ca upstream. It looks like some of the xhci debug code is passing u32 to functions directly from __le32/__le64 fields. Fix this by using le{32,64}_to_cpu() on these to fix the following sparse warnings; xhci-debugfs.c:205:62: warning: incorrect type in argument 1 (different base types) xhci-debugfs.c:205:62: expected unsigned int [usertype] field0 xhci-debugfs.c:205:62: got restricted __le32 xhci-debugfs.c:206:62: warning: incorrect type in argument 2 (different base types) xhci-debugfs.c:206:62: expected unsigned int [usertype] field1 xhci-debugfs.c:206:62: got restricted __le32 … [Trim down commit message, sparse warnings were similar -Mathias] Cc: # 4.15+ Signed-off-by: Ben Dooks Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 7e92a75330c521f03f9dac4ee4c4bd2ea8dd3498 Author: Samuel Holland Date: Fri Oct 25 17:30:28 2019 +0300 usb: xhci: fix Immediate Data Transfer endianness commit bfa3dbb343f664573292afb9e44f9abeb81a19de upstream. The arguments to queue_trb are always byteswapped to LE for placement in the ring, but this should not happen in the case of immediate data; the bytes copied out of transfer_buffer are already in the correct order. Add a complementary byteswap so the bytes end up in the ring correctly. This was observed on BE ppc64 with a “Texas Instruments TUSB73x0 SuperSpeed USB 3.0 xHCI Host Controller [104c:8241]" as a ch341 usb-serial adapter (“1a86:7523 QinHeng Electronics HL-340 USB-Serial adapter”) always transmitting the same character (generally NUL) over the serial link regardless of the key pressed. Cc: # 5.2+ Fixes: 33e39350ebd2 (“usb: xhci: add Immediate Data Transfer support”) Signed-off-by: Samuel Holland Signed-off-by: Mathias Nyman Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 5ca7fe7788eadc2d68e80bdd758ea1b64f9be731 Author: Johan Hovold Date: Tue Oct 22 17:31:27 2019 +0200 USB: ldusb: fix control-message timeout commit 52403cfbc635d28195167618690595013776ebde upstream. USB control-message timeouts are specified in milliseconds, not jiffies. Waiting 83 minutes for a transfer to complete is a bit excessive. Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver”) Cc: stable # 2.6.13 Reported-by: [email protected] Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit cc9c0f0113368537df5593ba1660e0d093f4693c Author: Johan Hovold Date: Tue Oct 22 16:32:02 2019 +0200 USB: ldusb: fix ring-buffer locking commit d98ee2a19c3334e9343df3ce254b496f1fc428eb upstream. The custom ring-buffer implementation was merged without any locking or explicit memory barriers, but a spinlock was later added by commit 9d33efd9a791 (“USB: ldusb bugfix”). The lock did not cover the update of the tail index once the entry had been processed, something which could lead to memory corruption on weakly ordered architectures or due to compiler optimisations. Specifically, a completion handler running on another CPU might observe the incremented tail index and update the entry before ld_usb_read() is done with it. Fixes: 2824bd250f0b ("[PATCH] USB: add ldusb driver”) Fixes: 9d33efd9a791 (“USB: ldusb bugfix”) Cc: stable # 2.6.13 Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 37b5f15e02bfa4d4bdf0203e54243521e54a15b1 Author: Alan Stern Date: Mon Oct 21 11:48:06 2019 -0400 usb-storage: Revert commit 747668dbc061 (“usb-storage: Set virt_boundary_mask to avoid SG overflows”) commit 9a976949613132977098fc49510b46fa8678d864 upstream. Commit 747668dbc061 (“usb-storage: Set virt_boundary_mask to avoid SG overflows”) attempted to solve a problem involving scatter-gather I/O and USB/IP by setting the virt_boundary_mask for mass-storage devices. However, it now turns out that this interacts badly with commit 09324d32d2a0 (“block: force an unlimited segment size on queues with a virt boundary”), which was added later. A typical error message is: ehci-pci 0000:00:13.2: swiotlb buffer is full (sz: 327680 bytes), total 32768 (slots), used 97 (slots) There is no longer any reason to keep the virt_boundary_mask setting for usb-storage. It was needed in the first place only for handling devices with a block size smaller than the maxpacket size and where the host controller was not capable of fully general scatter-gather operation (that is, able to merge two SG segments into a single USB packet). But: High-speed or slower connections never use a bulk maxpacket value larger than 512; The SCSI layer does not handle block devices with a block size smaller than 512 bytes; All the host controllers capable of SuperSpeed operation can handle fully general SG; Since commit ea44d190764b (“usbip: Implement SG support to vhci-hcd and stub driver”) was merged, the USB/IP driver can also handle SG. Therefore all supported device/controller combinations should be okay with no need for any special virt_boundary_mask. So in order to fix the swiotlb problem, this patch reverts commit 747668dbc061. Reported-and-tested-by: Piergiorgio Sartor Link: https://marc.info/?l=linux-usb&m=157134199501202&w=2 Signed-off-by: Alan Stern CC: Seth Bollinger CC: Fixes: 747668dbc061 (“usb-storage: Set virt_boundary_mask to avoid SG overflows”) Acked-by: Christoph Hellwig Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 8212b44b7109bd30dbf7eb7f5ecbbc413757a7d7 Author: Alan Stern Date: Mon Oct 28 10:54:26 2019 -0400 USB: gadget: Reject endpoints with 0 maxpacket value commit 54f83b8c8ea9b22082a496deadf90447a326954e upstream. Endpoints with a maxpacket length of 0 are probably useless. They can’t transfer any data, and it’s not at all unlikely that a UDC will crash or hang when trying to handle a non-zero-length usb_request for such an endpoint. Indeed, dummy-hcd gets a divide error when trying to calculate the remainder of a transfer length by the maxpacket value, as discovered by the syzbot fuzzer. Currently the gadget core does not check for endpoints having a maxpacket value of 0. This patch adds a check to usb_ep_enable(), preventing such endpoints from being used. As far as I know, none of the gadget drivers in the kernel tries to create an endpoint with maxpacket = 0, but until now there has been nothing to prevent userspace programs under gadgetfs or configfs from doing it. Signed-off-by: Alan Stern Reported-and-tested-by: [email protected] CC: Acked-by: Felipe Balbi Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit a654b6f3ff3b9e53cdd0b09f2d67073f739fcc1c Author: Markus Theil Date: Tue Oct 29 10:30:03 2019 +0100 nl80211: fix validation of mesh path nexthop commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream. Mesh path nexthop should be a ethernet address, but current validation checks against 4 byte integers. Cc: [email protected] Fixes: 2ec600d672e74 (“nl80211/cfg80211: support for mesh, sta dumping”) Signed-off-by: Markus Theil Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit d4a4d157128b6f54deb65142c842e152fbe9ac05 Author: Alan Stern Date: Wed Oct 23 11:34:33 2019 -0400 UAS: Revert commit 3ae62a42090f (“UAS: fix alignment of scatter/gather segments”) commit 1186f86a71130a7635a20843e355bb880c7349b2 upstream. Commit 3ae62a42090f (“UAS: fix alignment of scatter/gather segments”), copying a similar commit for usb-storage, attempted to solve a problem involving scatter-gather I/O and USB/IP by setting the virt_boundary_mask for mass-storage devices. However, it now turns out that the analogous change in usb-storage interacted badly with commit 09324d32d2a0 (“block: force an unlimited segment size on queues with a virt boundary”), which was added later. A typical error message is: ehci-pci 0000:00:13.2: swiotlb buffer is full (sz: 327680 bytes), total 32768 (slots), used 97 (slots) There is no longer any reason to keep the virt_boundary_mask setting in the uas driver. It was needed in the first place only for handling devices with a block size smaller than the maxpacket size and where the host controller was not capable of fully general scatter-gather operation (that is, able to merge two SG segments into a single USB packet). But: High-speed or slower connections never use a bulk maxpacket value larger than 512; The SCSI layer does not handle block devices with a block size smaller than 512 bytes; All the host controllers capable of SuperSpeed operation can handle fully general SG; Since commit ea44d190764b (“usbip: Implement SG support to vhci-hcd and stub driver”) was merged, the USB/IP driver can also handle SG. Therefore all supported device/controller combinations should be okay with no need for any special virt_boundary_mask. So in order to head off potential problems similar to those affecting usb-storage, this patch reverts commit 3ae62a42090f. Signed-off-by: Alan Stern CC: Oliver Neukum CC: Acked-by: Christoph Hellwig Fixes: 3ae62a42090f (“UAS: fix alignment of scatter/gather segments”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman commit 96234d043ba5903b9116cbcdebe7e9a5a2a96af2 Author: Miaoqing Pan Date: Thu Aug 29 10:45:12 2019 +0800 ath10k: fix latency issue for QCA988x commit d79749f7716d9dc32fa2d5075f6ec29aac63c76d upstream. (kvalo: cherry picked from commit 1340cc631bd00431e2f174525c971f119df9efa1 in wireless-drivers-next to wireless-drivers as this a frequently reported regression) Bad latency is found on QCA988x, the issue was introduced by commit 4504f0e5b571 (“ath10k: sdio: workaround firmware UART pin configuration bug”). If uart_pin_workaround is false, this change will set uart pin even if uart_print is false. Tested HW: QCA9880 Tested FW: 10.2.4-1.0-00037 Fixes: 4504f0e5b571 (“ath10k: sdio: workaround firmware UART pin configuration bug”) Signed-off-by: Miaoqing Pan Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit cc351115cbeb1eae9b0c921e819bdac47b714eaf Author: Kailang Yang Date: Thu Oct 24 15:13:32 2019 +0800 ALSA: hda/realtek - Add support for ALC623 commit f0778871a13889b86a65d4ad34bef8340af9d082 upstream. Support new codec ALC623. Signed-off-by: Kailang Yang Cc: Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4f473133889e24cf28e103b210ff5dc7919ed99c Author: Aaron Ma Date: Thu Oct 24 19:44:39 2019 +0800 ALSA: hda/realtek - Fix 2 front mics of codec 0x623 commit 8a6c55d0f883e9a7e7c91841434f3b6bbf932bb2 upstream. These 2 ThinkCentres installed a new realtek codec ID 0x623, it has 2 front mics with the same location on pin 0x18 and 0x19. Apply fixup ALC283_FIXUP_HEADSET_MIC to change 1 front mic location to right, then pulseaudio can handle them. One “Front Mic” and one “Mic” will be shown, and audio output works fine. Signed-off-by: Aaron Ma Cc: Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit afe7691b1f542eb61fc282766b125f2530fc5c7e Author: Takashi Iwai Date: Wed Oct 30 22:42:57 2019 +0100 ALSA: timer: Fix mutex deadlock at releasing card commit a39331867335d4a94b6165e306265c9e24aca073 upstream. When a card is disconnected while in use, the system waits until all opened files are closed then releases the card. This is done via put_device() of the card device in each device release code. The recently reported mutex deadlock bug happens in this code path; snd_timer_close() for the timer device deals with the global register_mutex and it calls put_device() there. When this timer device is the last one, the card gets freed and it eventually calls snd_timer_free(), which has again the protection with the global register_mutex – boom. Basically put_device() call itself is race-free, so a relative simple workaround is to move this put_device() call out of the mutex. For achieving that, in this patch, snd_timer_close_locked() got a new argument to store the card device pointer in return, and each caller invokes put_device() with the returned object after the mutex unlock. Reported-and-tested-by: Kirill A. Shutemov Cc: Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 74e316272e70250cef3b8115530654ad0c120529 Author: Takashi Sakamoto Date: Sat Oct 26 12:06:20 2019 +0900 ALSA: bebob: Fix prototype of helper function to return negative value commit f2bbdbcb075f3977a53da3bdcb7cd460bc8ae5f2 upstream. A helper function of ALSA bebob driver returns negative value in a function which has a prototype to return unsigned value. This commit fixes it by changing the prototype. Fixes: eb7b3a056cd8 (“ALSA: bebob: Add commands and connections/streams management”) Cc: # v3.16+ Signed-off-by: Takashi Sakamoto Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b19326f00f4b68fa2727d06b4e80b98f10ee4881 Author: Miklos Szeredi Date: Wed Oct 23 14:26:37 2019 +0200 fuse: truncate pending writes on O_TRUNC commit e4648309b85a78f8c787457832269a8712a8673e upstream. Make sure cached writes are not reordered around open(…, O_TRUNC), with the obvious wrong results. Fixes: 4d99ff8f12eb (“fuse: Turn writeback cache on”) Cc: # v3.15+ Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 8e5199d86660d71d5b27393ed937a31199e3b773 Author: Miklos Szeredi Date: Wed Oct 23 14:26:37 2019 +0200 fuse: flush dirty data/metadata before non-truncate setattr commit b24e7598db62386a95a3c8b9c75630c5d56fe077 upstream. If writeback cache is enabled, then writes might get reordered with chmod/chown/utimes. The problem with this is that performing the write in the fuse daemon might itself change some of these attributes. In such case the following sequence of operations will result in file ending up with the wrong mode, for example: int fd = open ("suid", O_WRONLY|O_CREAT|O_EXCL); write (fd, "1", 1); fchown (fd, 0, 0); fchmod (fd, 04755); close (fd); This patch fixes this by flushing pending writes before performing chown/chmod/utimes. Reported-by: Giuseppe Scrivano Tested-by: Giuseppe Scrivano Fixes: 4d99ff8f12eb (“fuse: Turn writeback cache on”) Cc: # v3.15+ Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 22d8d00c3346bf2443d995d1070da320d460e352 Author: Hui Peng Date: Sat Aug 3 20:29:04 2019 -0400 ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() [ Upstream commit 39d170b3cb62ba98567f5c4f40c27b5864b304e5 ] The `ar_usb` field of `ath6kl_usb_pipe_usb_pipe` objects are initialized to point to the containing `ath6kl_usb` object according to endpoint descriptors read from the device side, as shown below in `ath6kl_usb_setup_pipe_resources`: for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { endpoint = &iface_desc->endpoint[i].desc; // get the address from endpoint descriptor pipe_num = ath6kl_usb_get_logical_pipe_num(ar_usb, endpoint->bEndpointAddress, &urbcount); … // select the pipe object pipe = &ar_usb->pipes[pipe_num]; // initialize the ar_usb field pipe->ar_usb = ar_usb; } The driver assumes that the addresses reported in endpoint descriptors from device side to be complete. If a device is malicious and does not report complete addresses, it may trigger NULL-ptr-deref `ath6kl_usb_alloc_urb_from_pipe` and `ath6kl_usb_free_urb_to_pipe`. This patch fixes the bug by preventing potential NULL-ptr-deref (CVE-2019-15098). Signed-off-by: Hui Peng Reported-by: Hui Peng Reported-by: Mathias Payer Reviewed-by: Greg Kroah-Hartman Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit f0c86c793b7b8d1cd371572abc2344134113d4b3 Author: Mika Westerberg Date: Wed Jul 4 08:46:07 2018 +0300 thunderbolt: Use 32-bit writes when writing ring producer/consumer [ Upstream commit 943795219d3cb9f8ce6ce51cad3ffe1f61e95c6b ] The register access should be using 32-bit reads/writes according to the datasheet. With the previous generation hardware 16-bit writes have been working but starting with ICL this is not the case anymore so fix producer/consumer register update to use correct width register address. Signed-off-by: Mika Westerberg Reviewed-by: Yehezkel Bernat Tested-by: Mario Limonciello Signed-off-by: Sasha Levin commit 4cabebfa1c0766ac1afec380f8ef723802be58dc Author: Mika Westerberg Date: Tue Jun 11 19:31:26 2019 +0300 thunderbolt: Correct path indices for PCIe tunnel [ Upstream commit ce19f91eae43e39d5a1da55344756ab5a3c7e8d1 ] PCIe tunnel path indices got mixed up when we added support for tunnels between switches that are not adjacent. This did not affect the functionality as it is just an index but fix it now nevertheless to make the code easier to understand. Reported-by: Rajmohan Mani Fixes: 8c7acaaf020f (“thunderbolt: Extend tunnel creation to more than 2 adjacent switches”) Signed-off-by: Mika Westerberg Reviewed-by: Yehezkel Bernat Signed-off-by: Sasha Levin commit ce16a0019ce156d0ec96afbdbf26583f46ce2a08 Author: Sebastian Ott Date: Tue Sep 10 15:45:04 2019 +0200 s390/pci: fix MSI message data [ Upstream commit cf2c4a3f35b75d38cebb4afbd578f1594f068d1e ] After recent changes the MSI message data needs to specify the function-relative IRQ number. Reported-and-tested-by: Alexander Schmidt Signed-off-by: Sebastian Ott Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit edc82440df33c26e5116ba76675cb6edeec349ee Author: Joe Perches Date: Tue Jul 9 22:04:22 2019 -0700 rtw88: Fix misuse of GENMASK macro [ Upstream commit 5ff29d836d1beb347080bd96e6321c811a8e3f62 ] Arguments are supposed to be ordered high then low. Signed-off-by: Joe Perches Acked-by: Yan-Hsuan Chuang Signed-off-by: Kalle Valo Signed-off-by: Sasha Levin commit 21d8adb51f4d4f3e7576432ffabd4dc4187f56e2 Author: Jeffrey Hugo Date: Fri Jun 21 07:59:51 2019 -0700 arm64: dts: qcom: Add Asus NovaGo TP370QL [ Upstream commit 722eb2f65acc4cebeb710fc7cc98f51513e90f1f ] This adds the initial DT for the Asus NovaGo TP370QL laptop. Supported functionality includes USB (host), microSD-card, keyboard, and trackpad. Signed-off-by: Jeffrey Hugo Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 7afe6990a3942767b924a6d7173bb70e5d96182c Author: Jeffrey Hugo Date: Fri Jun 21 07:57:21 2019 -0700 arm64: dts: qcom: Add HP Envy x2 [ Upstream commit 3f527d311932791fde67ffec32536d22d5dd3030 ] This adds the initial DT for the HP Envy x2 laptop. Supported functionality includes USB (host), microSD-card, keyboard, and trackpad. Signed-off-by: Jeffrey Hugo Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit ac2698f054ccb46c44d4352f6606405d98582154 Author: Jeffrey Hugo Date: Fri Jun 21 07:54:50 2019 -0700 arm64: dts: qcom: Add Lenovo Miix 630 [ Upstream commit 2c6d2d3a580a852fe0a694e13af502a862293e0e ] This adds the initial DT for the Lenovo Miix 630 laptop. Supported functionality includes USB (host), microSD-card, keyboard, and trackpad. Signed-off-by: Jeffrey Hugo Signed-off-by: Bjorn Andersson Signed-off-by: Sasha Levin commit 4fa1cbd587ef967812f9d9f6ce46ec1dead7502c Author: Mike Christie Date: Thu Oct 17 16:27:34 2019 -0500 nbd: verify socket is supported during setup [ Upstream commit cf1b2326b734896734c6e167e41766f9cee7686a ] nbd requires socket families to support the shutdown method so the nbd recv workqueue can be woken up from its sock_recvmsg call. If the socket does not support the callout we will leave recv works running or get hangs later when the device or module is removed. This adds a check during socket connection/reconnection to make sure the socket being passed in supports the needed callout. Reported-by: [email protected] Fixes: e9e006f5fcf2 (“nbd: fix max number of supported devs”) Tested-by: Richard W.M. Jones Signed-off-by: Mike Christie Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 3d8afacef1ccd12ceb7cfec69587e18f67de24b5 Author: Dan Carpenter Date: Fri Oct 11 17:11:15 2019 +0300 USB: legousbtower: fix a signedness bug in tower_probe() [ Upstream commit fd47a417e75e2506eb3672ae569b1c87e3774155 ] The problem is that sizeof() is unsigned long so negative error codes are type promoted to high positive values and the condition becomes false. Fixes: 1d427be4a39d (“USB: legousbtower: fix slab info leak at probe”) Signed-off-by: Dan Carpenter Acked-by: Johan Hovold Link: https://lore.kernel.org/r/20191011141115.GA4521@mwanda Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 724337746b1a1a5519e10b536e8d32f32312f6aa Author: Thomas Richter Date: Mon Oct 21 10:33:54 2019 +0200 perf/aux: Fix tracking of auxiliary trace buffer allocation [ Upstream commit 5e6c3c7b1ec217c1c4c95d9148182302b9969b97 ] The following commit from the v5.4 merge window: d44248a41337 ("perf/core: Rework memory accounting in perf_mmap()") … breaks auxiliary trace buffer tracking. If I run command ‘perf record -e rbd000’ to record samples and saving them in the **auxiliary** trace buffer then the value of ‘locked_vm’ becomes negative after all trace buffers have been allocated and released: During allocation the values increase: [52.250027] perf_mmap user->locked_vm:0x87 pinned_vm:0x0 ret:0 [52.250115] perf_mmap user->locked_vm:0x107 pinned_vm:0x0 ret:0 [52.250251] perf_mmap user->locked_vm:0x188 pinned_vm:0x0 ret:0 [52.250326] perf_mmap user->locked_vm:0x208 pinned_vm:0x0 ret:0 [52.250441] perf_mmap user->locked_vm:0x289 pinned_vm:0x0 ret:0 [52.250498] perf_mmap user->locked_vm:0x309 pinned_vm:0x0 ret:0 [52.250613] perf_mmap user->locked_vm:0x38a pinned_vm:0x0 ret:0 [52.250715] perf_mmap user->locked_vm:0x408 pinned_vm:0x2 ret:0 [52.250834] perf_mmap user->locked_vm:0x408 pinned_vm:0x83 ret:0 [52.250915] perf_mmap user->locked_vm:0x408 pinned_vm:0x103 ret:0 [52.251061] perf_mmap user->locked_vm:0x408 pinned_vm:0x184 ret:0 [52.251146] perf_mmap user->locked_vm:0x408 pinned_vm:0x204 ret:0 [52.251299] perf_mmap user->locked_vm:0x408 pinned_vm:0x285 ret:0 [52.251383] perf_mmap user->locked_vm:0x408 pinned_vm:0x305 ret:0 [52.251544] perf_mmap user->locked_vm:0x408 pinned_vm:0x386 ret:0 [52.251634] perf_mmap user->locked_vm:0x408 pinned_vm:0x406 ret:0 [52.253018] perf_mmap user->locked_vm:0x408 pinned_vm:0x487 ret:0 [52.253197] perf_mmap user->locked_vm:0x408 pinned_vm:0x508 ret:0 [52.253374] perf_mmap user->locked_vm:0x408 pinned_vm:0x589 ret:0 [52.253550] perf_mmap user->locked_vm:0x408 pinned_vm:0x60a ret:0 [52.253726] perf_mmap user->locked_vm:0x408 pinned_vm:0x68b ret:0 [52.253903] perf_mmap user->locked_vm:0x408 pinned_vm:0x70c ret:0 [52.254084] perf_mmap user->locked_vm:0x408 pinned_vm:0x78d ret:0 [52.254263] perf_mmap user->locked_vm:0x408 pinned_vm:0x80e ret:0 The value of user->locked_vm increases to a limit then the memory is tracked by pinned_vm. During deallocation the size is subtracted from pinned_vm until it hits a limit. Then a larger value is subtracted from locked_vm leading to a large number (because of type unsigned): [64.267797] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x78d [64.267826] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x70c [64.267848] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x68b [64.267869] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x60a [64.267891] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x589 [64.267911] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x508 [64.267933] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x487 [64.267952] perf_mmap_close mmap_user->locked_vm:0x408 pinned_vm:0x406 [64.268883] perf_mmap_close mmap_user->locked_vm:0x307 pinned_vm:0x406 [64.269117] perf_mmap_close mmap_user->locked_vm:0x206 pinned_vm:0x406 [64.269433] perf_mmap_close mmap_user->locked_vm:0x105 pinned_vm:0x406 [64.269536] perf_mmap_close mmap_user->locked_vm:0x4 pinned_vm:0x404 [64.269797] perf_mmap_close mmap_user->locked_vm:0xffffffffffffff84 pinned_vm:0x303 [64.270105] perf_mmap_close mmap_user->locked_vm:0xffffffffffffff04 pinned_vm:0x202 [64.270374] perf_mmap_close mmap_user->locked_vm:0xfffffffffffffe84 pinned_vm:0x101 [64.270628] perf_mmap_close mmap_user->locked_vm:0xfffffffffffffe04 pinned_vm:0x0 This value sticks for the user until system is rebooted, causing follow-on system calls using locked_vm resource limit to fail. Note: There is no issue using the normal trace buffer. In fact the issue is in perf_mmap_close(). During allocation auxiliary trace buffer memory is either traced as ‘extra’ and added to ‘pinned_vm’ or trace as ‘user_extra’ and added to ‘locked_vm’. This applies for normal trace buffers and auxiliary trace buffer. However in function perf_mmap_close() all auxiliary trace buffer is subtraced from ‘locked_vm’ and never from ‘pinned_vm’. This breaks the ballance. Signed-off-by: Thomas Richter Acked-by: Peter Zijlstra Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] Cc: [email protected] Fixes: d44248a41337 ("perf/core: Rework memory accounting in perf_mmap()") Link: https://lkml.kernel.org/r/[email protected] [ Minor readability edits. ] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 88ce4e503590a85f38d61bfc3ac4f5bd46734bfa Author: Gustavo A. R. Silva Date: Mon Oct 14 12:10:47 2019 -0500 perf annotate: Fix multiple memory and file descriptor leaks [ Upstream commit f948eb45e3af9fb18a0487d0797a773897ef6929 ] Store SYMBOL_ANNOTATE_ERRNO__BPF_MISSING_BTF in variable *ret*, instead of returning in the middle of the function and leaking multiple resources: prog_linfo, btf, s and bfdf. Addresses-Coverity-ID: 1454832 (“Structurally dead code”) Fixes: 11aad897f6d1 (“perf annotate: Don’t return -1 for error when doing BPF disassembly”) Signed-off-by: Gustavo A. R. Silva Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Link: http://lore.kernel.org/lkml/20191014171047.GA30850@embeddedor Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1eca0cbc9b613ac67f71e84f97c5380c563cd63a Author: Petr Mladek Date: Fri Oct 11 16:21:34 2019 +0200 tracing: Initialize iter->seq after zeroing in tracing_read_pipe() [ Upstream commit d303de1fcf344ff7c15ed64c3f48a991c9958775 ] A customer reported the following softlockup: [899688.160002] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [test.sh:16464] [899688.160002] CPU: 0 PID: 16464 Comm: test.sh Not tainted 4.12.14-6.23-azure #1 SLE12-SP4 [899688.160002] RIP: 0010:up_write+0x1a/0x30 [899688.160002] Kernel panic - not syncing: softlockup: hung tasks [899688.160002] RIP: 0010:up_write+0x1a/0x30 [899688.160002] RSP: 0018:ffffa86784d4fde8 EFLAGS: 00000257 ORIG_RAX: ffffffffffffff12 [899688.160002] RAX: ffffffff970fea00 RBX: 0000000000000001 RCX: 0000000000000000 [899688.160002] RDX: ffffffff00000001 RSI: 0000000000000080 RDI: ffffffff970fea00 [899688.160002] RBP: ffffffffffffffff R08: ffffffffffffffff R09: 0000000000000000 [899688.160002] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8b59014720d8 [899688.160002] R13: ffff8b59014720c0 R14: ffff8b5901471090 R15: ffff8b5901470000 [899688.160002] tracing_read_pipe+0x336/0x3c0 [899688.160002] __vfs_read+0x26/0x140 [899688.160002] vfs_read+0x87/0x130 [899688.160002] SyS_read+0x42/0x90 [899688.160002] do_syscall_64+0x74/0x160 It caught the process in the middle of trace_access_unlock(). There is no loop. So, it must be looping in the caller tracing_read_pipe() via the “waitagain” label. Crashdump analyze uncovered that iter->seq was completely zeroed at this point, including iter->seq.seq.size. It means that print_trace_line() was never able to print anything and there was no forward progress. The culprit seems to be in the code: /* reset all but tr, trace, and overruns */ memset(&iter->seq, 0, sizeof(struct trace_iterator) - offsetof(struct trace_iterator, seq)); It was added by the commit 53d0aa773053ab182877 (“ftrace: add logic to record overruns”). It was v2.6.27-rc1. It was the time when iter->seq looked like: struct trace_seq { unsigned char buffer[PAGE_SIZE]; unsigned int len; }; There was no “size” variable and zeroing was perfectly fine. The solution is to reinitialize the structure after or without zeroing. Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Petr Mladek Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Sasha Levin commit bf8c1108547174bb777870e2c671a092ccdf0b9c Author: Christian Borntraeger Date: Tue Oct 8 17:02:32 2019 +0200 s390/uaccess: avoid (false positive) compiler warnings [ Upstream commit 062795fcdcb2d22822fb42644b1d76a8ad8439b3 ] Depending on inlining decisions by the compiler, __get/put_user_fn might become out of line. Then the compiler is no longer able to tell that size can only be 1,2,4 or 8 due to the check in __get/put_user resulting in false positives like ./arch/s390/include/asm/uaccess.h: In function ‘__put_user_fn’: ./arch/s390/include/asm/uaccess.h:113:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized] 113 | return rc; | ^~ ./arch/s390/include/asm/uaccess.h: In function ‘__get_user_fn’: ./arch/s390/include/asm/uaccess.h:143:9: warning: ‘rc’ may be used uninitialized in this function [-Wmaybe-uninitialized] 143 | return rc; | ^~ These functions are supposed to be always inlined. Mark it as such. Signed-off-by: Christian Borntraeger Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit 993ab8deb65a6c2029376e543ce96171ab0a70fb Author: Benjamin Coddington Date: Wed Oct 2 10:40:55 2019 -0400 SUNRPC: fix race to sk_err after xs_error_report [ Upstream commit af84537dbd1b39505d1f3d8023029b4a59666513 ] Since commit 4f8943f80883 (“SUNRPC: Replace direct task wakeups from softirq context”) there has been a race to the value of the sk_err if both XPRT_SOCK_WAKE_ERROR and XPRT_SOCK_WAKE_DISCONNECT are set. In that case, we may end up losing the sk_err value that existed when xs_error_report was called. Fix this by reverting to the previous behavior: instead of using SO_ERROR to retrieve the value at a later time (which might also return sk_err_soft), copy the sk_err value onto struct sock_xprt, and use that value to wake pending tasks. Signed-off-by: Benjamin Coddington Fixes: 4f8943f80883 (“SUNRPC: Replace direct task wakeups from softirq context”) Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit fd51ff093de45f54052ba65b90886a2868779fc5 Author: Chuck Lever Date: Fri Oct 4 09:58:54 2019 -0400 NFSv4: Fix leak of clp->cl_acceptor string [ Upstream commit 1047ec868332034d1fbcb2fae19fe6d4cb869ff2 ] Our client can issue multiple SETCLIENTID operations to the same server in some circumstances. Ensure that calls to nfs4_proc_setclientid() after the first one do not overwrite the previously allocated cl_acceptor string. unreferenced object 0xffff888461031800 (size 32): comm "mount.nfs", pid 2227, jiffies 4294822467 (age 1407.749s) hex dump (first 32 bytes): 6e 66 73 40 6b 6c 69 6d 74 2e 69 62 2e 31 30 31 [email protected] 35 67 72 61 6e 67 65 72 2e 6e 65 74 00 00 00 00 5granger.net… backtrace: [<00000000ab820188>] __kmalloc+0x128/0x176 [<00000000eeaf4ec8>] gss_stringify_acceptor+0xbd/0x1a7 [auth_rpcgss] [<00000000e85e3382>] nfs4_proc_setclientid+0x34e/0x46c [nfsv4] [<000000003d9cf1fa>] nfs40_discover_server_trunking+0x7a/0xed [nfsv4] [<00000000b81c3787>] nfs4_discover_server_trunking+0x81/0x244 [nfsv4] [<000000000801b55f>] nfs4_init_client+0x1b0/0x238 [nfsv4] [<00000000977daf7f>] nfs4_set_client+0xfe/0x14d [nfsv4] [<0000000053a68a2a>] nfs4_create_server+0x107/0x1db [nfsv4] [<0000000088262019>] nfs4_remote_mount+0x2c/0x59 [nfsv4] [<00000000e84a2fd0>] legacy_get_tree+0x2d/0x4c [<00000000797e947c>] vfs_get_tree+0x20/0xc7 [<00000000ecabaaa8>] fc_mount+0xe/0x36 [<00000000f15fafc2>] vfs_kern_mount+0x74/0x8d [<00000000a3ff4e26>] nfs_do_root_mount+0x8a/0xa3 [nfsv4] [<00000000d1c2b337>] nfs4_try_mount+0x58/0xad [nfsv4] [<000000004c9bddee>] nfs_fs_mount+0x820/0x869 [nfs] Fixes: f11b2a1cfbf5 ("nfs4: copy acceptor name from context … ") Signed-off-by: Chuck Lever Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 1df6bb8ce8ababaee2d66add746235a73e5df2db Author: Xiubo Li Date: Thu Sep 19 11:44:27 2019 +0530 nbd: fix possible sysfs duplicate warning [ Upstream commit 862488105b84ca744b3d8ff131e0fcfe10644be1 ] 1. nbd_put takes the mutex and drops nbd->ref to 0. It then does idr_remove and drops the mutex. 2. nbd_genl_connect takes the mutex. idr_find/idr_for_each fails to find an existing device, so it does nbd_dev_add. 3. just before the nbd_put could call nbd_dev_remove or not finished totally, but if nbd_dev_add try to add_disk, we can hit: debugfs: Directory ‘nbd1’ with parent ‘block’ already present! This patch will make sure all the disk add/remove stuff are done by holding the nbd_index_mutex lock. Reported-by: Mike Christie Reviewed-by: Josef Bacik Signed-off-by: Xiubo Li Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit 2ef37b2c9c6820db58c6c5c782e032ff3463f319 Author: Navid Emamdoost Date: Mon Sep 30 15:42:22 2019 -0500 virt: vbox: fix memory leak in hgcm_call_preprocess_linaddr [ Upstream commit e0b0cb9388642c104838fac100a4af32745621e2 ] In hgcm_call_preprocess_linaddr memory is allocated for bounce_buf but is not released if copy_form_user fails. In order to prevent memory leak in case of failure, the assignment to bounce_buf_ret is moved before the error check. This way the allocated bounce_buf will be released by the caller. Fixes: 579db9d45cb4 (“virt: Add vboxguest VMMDEV communication code”) Signed-off-by: Navid Emamdoost Reviewed-by: Hans de Goede Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit fa421fc2060d0e0f44f30f2d47051ccec35f99e1 Author: Halil Pasic Date: Mon Sep 30 17:38:02 2019 +0200 s390/cio: fix virtio-ccw DMA without PV [ Upstream commit 05668e1d74b84c53fbe0f28565e4c9502a6b8a67 ] Commit 37db8985b211 (“s390/cio: add basic protected virtualization support”) breaks virtio-ccw devices with VIRTIO_F_IOMMU_PLATFORM for non Protected Virtualization (PV) guests. The problem is that the dma_mask of the ccw device, which is used by virtio core, gets changed from 64 to 31 bit, because some of the DMA allocations do require 31 bit addressable memory. For PV the only drawback is that some of the virtio structures must end up in ZONE_DMA because we have the bounce the buffers mapped via DMA API anyway. But for non PV guests we have a problem: because of the 31 bit mask guests bigger than 2G are likely to try bouncing buffers. The swiotlb however is only initialized for PV guests, because we don’t want to bounce anything for non PV guests. The first such map kills the guest. Since the DMA API won’t allow us to specify for each allocation whether we need memory from ZONE_DMA (31 bit addressable) or any DMA capable memory will do, let us use coherent_dma_mask (which is used for allocations) to force allocating form ZONE_DMA while changing dma_mask to DMA_BIT_MASK(64) so that at least the streaming API will regard the whole memory DMA capable. Signed-off-by: Halil Pasic Reported-by: Marc Hartmayer Suggested-by: Robin Murphy Fixes: 37db8985b211 (“s390/cio: add basic protected virtualization support”) Link: https://lore.kernel.org/lkml/[email protected] Reviewed-by: Christoph Hellwig Reviewed-by: Cornelia Huck Signed-off-by: Christian Borntraeger Signed-off-by: Vasily Gorbik Signed-off-by: Sasha Levin commit cb379a4304c3a2592d4379e3f8a032a5b114b412 Author: Thomas Bogendoerfer Date: Wed Oct 9 17:10:56 2019 +0200 MIPS: fw: sni: Fix out of bounds init of o32 stack [ Upstream commit efcb529694c3b707dc0471b312944337ba16e4dd ] Use ARRAY_SIZE to caluculate the top of the o32 stack. Signed-off-by: Thomas Bogendoerfer Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: [email protected] Cc: [email protected] Signed-off-by: Sasha Levin commit d44f91536e4e1b50fa2c454793ec6a091e78e65e Author: Thomas Bogendoerfer Date: Wed Oct 9 12:06:00 2019 +0200 MIPS: include: Mark __xchg as __always_inline [ Upstream commit 46f1619500d022501a4f0389f9f4c349ab46bb86 ] Commit ac7c3e4ff401 (“compiler: enable CONFIG_OPTIMIZE_INLINING forcibly”) allows compiler to uninline functions marked as ‘inline’. In cace of __xchg this would cause to reference function __xchg_called_with_bad_pointer, which is an error case for catching bugs and will not happen for correct code, if __xchg is inlined. Signed-off-by: Thomas Bogendoerfer Reviewed-by: Philippe Mathieu-Daudé Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: [email protected] Cc: [email protected] Signed-off-by: Sasha Levin commit 359d43a16d8228e7cdd8212b48d852269e9a792a Author: Lorenzo Bianconi Date: Tue Sep 17 00:01:29 2019 +0200 iio: imu: st_lsm6dsx: fix waitime for st_lsm6dsx i2c controller [ Upstream commit fdb828e2c71a09bb9e865f41b015597c5f671705 ] i2c controller available in st_lsm6dsx series performs i2c slave configuration using accel clock as trigger. st_lsm6dsx_shub_wait_complete routine is used to wait the controller has carried out the requested configuration. However if the accel sensor is not enabled we should not use its configured odr to estimate a proper timeout Fixes: c91c1c844ebd (“iio: imu: st_lsm6dsx: add i2c embedded controller support”) Signed-off-by: Lorenzo Bianconi Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit e3589dddef826696e8c073179748833b026330ad Author: Navid Emamdoost Date: Thu Sep 19 10:56:35 2019 -0500 iio: imu: adis16400: fix memory leak [ Upstream commit 9c0530e898f384c5d279bfcebd8bb17af1105873 ] In adis_update_scan_mode_burst, if adis->buffer allocation fails release the adis->xfer. Signed-off-by: Navid Emamdoost Reviewed-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 1694a7a95c1f79d974c7b5397300535af3b4a4bb Author: Navid Emamdoost Date: Thu Sep 19 10:50:02 2019 -0500 iio: imu: adis16400: release allocated memory on failure [ Upstream commit ab612b1daf415b62c58e130cb3d0f30b255a14d0 ] In adis_update_scan_mode, if allocation for adis->buffer fails, previously allocated adis->xfer needs to be released. Signed-off-by: Navid Emamdoost Reviewed-by: Alexandru Ardelean Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 6cc75e06b66b85650d295d99d4e4453756a582b4 Author: Nirmoy Das Date: Fri Oct 4 11:53:37 2019 +0200 drm/amdgpu: fix memory leak [ Upstream commit 083164dbdb17c5ea4ad92c1782b59c9d75567790 ] cleanup error handling code and make sure temporary info array with the handles are freed by amdgpu_bo_list_put() on idr_replace()‘s failure. Signed-off-by: Nirmoy Das Reviewed-by: Christian König Signed-off-by: Alex Deucher Signed-off-by: Sasha Levin commit 60c2f9acfef847d948f9957bca82084c4a6cd0cb Author: Tom Lendacky Date: Thu Aug 1 18:57:41 2019 +0000 perf/x86/amd: Change/fix NMI latency mitigation to use a timestamp [ Upstream commit df4d29732fdad43a51284f826bec3e6ded177540 ] It turns out that the NMI latency workaround from commit: 6d3edaae16c6 (“x86/perf/amd: Resolve NMI latency issues for active PMCs”) ends up being too conservative and results in the perf NMI handler claiming NMIs too easily on AMD hardware when the NMI watchdog is active. This has an impact, for example, on the hpwdt (HPE watchdog timer) module. This module can produce an NMI that is used to reset the system. It registers an NMI handler for the NMI_UNKNOWN type and relies on the fact that nothing has claimed an NMI so that its handler will be invoked when the watchdog device produces an NMI. After the referenced commit, the hpwdt module is unable to process its generated NMI if the NMI watchdog is active, because the current NMI latency mitigation results in the NMI being claimed by the perf NMI handler. Update the AMD perf NMI latency mitigation workaround to, instead, use a window of time. Whenever a PMC is handled in the perf NMI handler, set a timestamp which will act as a perf NMI window. Any NMIs arriving within that window will be claimed by perf. Anything outside that window will not be claimed by perf. The value for the NMI window is set to 100 msecs. This is a conservative value that easily covers any NMI latency in the hardware. While this still results in a window in which the hpwdt module will not receive its NMI, the window is now much, much smaller. Signed-off-by: Tom Lendacky Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Borislav Petkov Cc: Jerry Hoemann Cc: Jiri Olsa Cc: Linus Torvalds Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: 6d3edaae16c6 (“x86/perf/amd: Resolve NMI latency issues for active PMCs”) Link: https://lkml.kernel.org/r/Message-ID: Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit d4b04822616f03573a0df66736bbf4b767afb644 Author: Song Liu Date: Tue Oct 8 09:59:49 2019 -0700 perf/core: Fix corner case in perf_rotate_context() [ Upstream commit 7fa343b7fdc4f351de4e3f28d5c285937dd1f42f ] In perf_rotate_context(), when the first cpu flexible event fail to schedule, cpu_rotate is 1, while cpu_event is NULL. Since cpu_event is NULL, perf_rotate_context will _NOT_ call cpu_ctx_sched_out(), thus cpuctx->ctx.is_active will have EVENT_FLEXIBLE set. Then, the next perf_event_sched_in() will skip all cpu flexible events because of the EVENT_FLEXIBLE bit. In the next call of perf_rotate_context(), cpu_rotate stays 1, and cpu_event stays NULL, so this process repeats. The end result is, flexible events on this cpu will not be scheduled (until another event being added to the cpuctx). Here is an easy repro of this issue. On Intel CPUs, where ref-cycles could only use one counter, run one pinned event for ref-cycles, one flexible event for ref-cycles, and one flexible event for cycles. The flexible ref-cycles is never scheduled, which is expected. However, because of this issue, the cycles event is never scheduled either. $ perf stat -e ref-cycles:D,ref-cycles,cycles -C 5 -I 1000 time counts unit events 1.000152973 15,412,480 ref-cycles:D 1.000152973 ref-cycles (0.00%) 1.000152973 cycles (0.00%) 2.000486957 18,263,120 ref-cycles:D 2.000486957 ref-cycles (0.00%) 2.000486957 cycles (0.00%) To fix this, when the flexible_active list is empty, try rotate the first event in the flexible_groups. Also, rename ctx_first_active() to ctx_event_to_rotate(), which is more accurate. Signed-off-by: Song Liu Signed-off-by: Peter Zijlstra (Intel) Cc: Cc: Arnaldo Carvalho de Melo Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Sasha Levin Cc: Thomas Gleixner Fixes: 8d5bce0c37fa (“perf/core: Optimize perf_rotate_context() event scheduling”) Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 489dbad097a21d510950fac87982e6802181451f Author: Song Liu Date: Wed Sep 4 14:46:18 2019 -0700 perf/core: Rework memory accounting in perf_mmap() [ Upstream commit d44248a41337731a111374822d7d4451b64e73e4 ] perf_mmap() always increases user->locked_vm. As a result, “extra” could grow bigger than "user_extra", which doesn’t make sense. Here is an example case: (Note: Assume “user_lock_limit” is very small.) | # of perf_mmap calls |vma->vm_mm->pinned_vm|user->locked_vm| | 0 | 0 | 0 | | 1 | user_extra | user_extra | | 2 | 3 * user_extra | 2 * user_extra| | 3 | 6 * user_extra | 3 * user_extra| | 4 | 10 * user_extra | 4 * user_extra| Fix this by maintaining proper user_extra and extra. Reviewed-By: Hechao Li Reported-by: Hechao Li Signed-off-by: Song Liu Signed-off-by: Peter Zijlstra (Intel) Cc: Cc: Jie Meng Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 5d14b7753c45b7da6c2a8c1129f1d094f64a9b50 Author: Frederic Weisbecker Date: Wed Sep 25 23:42:42 2019 +0200 sched/vtime: Fix guest/system mis-accounting on task switch [ Upstream commit 68e7a4d66b0ce04bf18ff2ffded5596ab3618585 ] vtime_account_system() assumes that the target task to account cputime to is always the current task. This is most often true indeed except on task switch where we call: vtime_common_task_switch(prev) vtime_account_system(prev) Here prev is the scheduling-out task where we account the cputime to. It doesn’t match current that is already the scheduling-in task at this stage of the context switch. So we end up checking the wrong task flags to determine if we are accounting guest or system time to the previous task. As a result the wrong task is used to check if the target is running in guest mode. We may then spuriously account or leak either system or guest time on task switch. Fix this assumption and also turn vtime_guest_enter/exit() to use the task passed in parameter as well to avoid future similar issues. Signed-off-by: Frederic Weisbecker Signed-off-by: Peter Zijlstra (Intel) Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Rik van Riel Cc: Thomas Gleixner Cc: Wanpeng Li Fixes: 2a42eb9594a1 (“sched/cputime: Accumulate vtime on top of nsec clocksource”) Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit b0771e86502351ef5ee7cc3aaf4387f7ca38e773 Author: Xuewei Zhang Date: Thu Oct 3 17:12:43 2019 -0700 sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision [ Upstream commit 4929a4e6faa0f13289a67cae98139e727f0d4a97 ] The quota/period ratio is used to ensure a child task group won’t get more bandwidth than the parent task group, and is calculated as: normalized_cfs_quota() = [(quota_us << 20) / period_us] If the quota/period ratio was changed during this scaling due to precision loss, it will cause inconsistency between parent and child task groups. See below example: A userspace container manager (kubelet) does three operations: 1) Create a parent cgroup, set quota to 1,000us and period to 10,000us. 2) Create a few children cgroups. 3) Set quota to 1,000us and period to 10,000us on a child cgroup. These operations are expected to succeed. However, if the scaling of 147/128 happens before step 3, quota and period of the parent cgroup will be changed: new_quota: 1148437ns, 1148us new_period: 11484375ns, 11484us And when step 3 comes in, the ratio of the child cgroup will be 104857, which will be larger than the parent cgroup ratio (104821), and will fail. Scaling them by a factor of 2 will fix the problem. Tested-by: Phil Auld Signed-off-by: Xuewei Zhang Signed-off-by: Peter Zijlstra (Intel) Acked-by: Phil Auld Cc: Anton Blanchard Cc: Ben Segall Cc: Dietmar Eggemann Cc: Juri Lelli Cc: Linus Torvalds Cc: Mel Gorman Cc: Peter Zijlstra Cc: Steven Rostedt Cc: Thomas Gleixner Cc: Vincent Guittot Fixes: 2e8e19226398 (“sched/fair: Limit sched_cfs_period_timer() loop to avoid hard lockup”) Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 1a7fe7a637b9e1025a0270d13ca7536b233f0255 Author: Kan Liang Date: Tue Oct 8 08:50:02 2019 -0700 x86/cpu: Add Comet Lake to the Intel CPU models header [ Upstream commit 8d7c6ac3b2371eb1cbc9925a88f4d10efff374de ] Comet Lake is the new 10th Gen Intel processor. Add two new CPU model numbers to the Intel family list. The CPU model numbers are not published in the SDM yet but they come from an authoritative internal source. [ bp: Touch up commit message. ] Signed-off-by: Kan Liang Signed-off-by: Borislav Petkov Reviewed-by: Tony Luck Cc: [email protected] Cc: “H. Peter Anvin” Cc: Ingo Molnar Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: x86-ml Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Sasha Levin commit 13894f5b36090cc597e71fd6c6b6cdd4aaf3fdae Author: Yunfeng Ye Date: Sun Sep 29 12:44:17 2019 +0800 arm64: armv8_deprecated: Checking return value for memory allocation [ Upstream commit 3e7c93bd04edfb0cae7dad1215544c9350254b8f ] There are no return value checking when using kzalloc() and kcalloc() for memory allocation. so add it. Signed-off-by: Yunfeng Ye Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit f839cea971ada1823fe88f439802aaf1e1dcfe84 Author: Austin Kim Date: Tue Sep 3 12:30:19 2019 +0900 btrfs: silence maybe-uninitialized warning in clone_range [ Upstream commit 431d39887d6273d6d84edf3c2eab09f4200e788a ] GCC throws warning message as below: ‘clone_src_i_size’ may be used uninitialized in this function [-Wmaybe-uninitialized] #define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0) ^ fs/btrfs/send.c:5088:6: note: ‘clone_src_i_size’ was declared here u64 clone_src_i_size; ^ The clone_src_i_size is only used as call-by-reference in a call to get_inode_info(). Silence the warning by initializing clone_src_i_size to 0. Note that the warning is a false positive and reported by older versions of GCC (eg. 7.x) but not eg 9.x. As there have been numerous people, the patch is applied. Setting clone_src_i_size to 0 does not otherwise make sense and would not do any action in case the code changes in the future. Signed-off-by: Austin Kim Reviewed-by: David Sterba [ add note ] Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit f6604a1a2a25fca08fc775c99c0b0a5c243d8bf1 Author: Jia-Ju Bai Date: Sun Oct 6 17:57:57 2019 -0700 fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() [ Upstream commit 2abb7d3b12d007c30193f48bebed781009bebdd2 ] In ocfs2_info_scan_inode_alloc(), there is an if statement on line 283 to check whether inode_alloc is NULL: if (inode_alloc) When inode_alloc is NULL, it is used on line 287: ocfs2_inode_lock(inode_alloc, &bh, 0); ocfs2_inode_lock_full_nested(inode, …) struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); Thus, a possible null-pointer dereference may occur. To fix this bug, inode_alloc is checked on line 286. This bug is found by a static analysis tool STCheck written by us. Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Jia-Ju Bai Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 03fa98e783364921545389921b7e5ed49e534c24 Author: Jia-Ju Bai Date: Sun Oct 6 17:57:54 2019 -0700 fs: ocfs2: fix a possible null-pointer dereference in ocfs2_write_end_nolock() [ Upstream commit 583fee3e12df0e6f1f66f063b989d8e7fed0e65a ] In ocfs2_write_end_nolock(), there are an if statement on lines 1976, 2047 and 2058, to check whether handle is NULL: if (handle) When handle is NULL, it is used on line 2045: ocfs2_update_inode_fsync_trans(handle, inode, 1); oi->i_sync_tid = handle->h_transaction->t_tid; Thus, a possible null-pointer dereference may occur. To fix this bug, handle is checked before calling ocfs2_update_inode_fsync_trans(). This bug is found by a static analysis tool STCheck written by us. Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Jia-Ju Bai Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit deac6be41be843d02053f7c2f64be815c589998b Author: Jia-Ju Bai Date: Sun Oct 6 17:57:50 2019 -0700 fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() [ Upstream commit 56e94ea132bb5c2c1d0b60a6aeb34dcb7d71a53d ] In ocfs2_xa_prepare_entry(), there is an if statement on line 2136 to check whether loc->xl_entry is NULL: if (loc->xl_entry) When loc->xl_entry is NULL, it is used on line 2158: ocfs2_xa_add_entry(loc, name_hash); loc->xl_entry->xe_name_hash = cpu_to_le32(name_hash); loc->xl_entry->xe_name_offset = cpu_to_le16(loc->xl_size); and line 2164: ocfs2_xa_add_namevalue(loc, xi); loc->xl_entry->xe_value_size = cpu_to_le64(xi->xi_value_len); loc->xl_entry->xe_name_len = xi->xi_name_len; Thus, possible null-pointer dereferences may occur. To fix these bugs, if loc-xl_entry is NULL, ocfs2_xa_prepare_entry() abnormally returns with -EINVAL. These bugs are found by a static analysis tool STCheck written by us. [[email protected]: remove now-unused ocfs2_xa_add_entry()] Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Jia-Ju Bai Reviewed-by: Joseph Qi Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Changwei Ge Cc: Gang He Cc: Jun Piao Cc: Stephen Rothwell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit ae388165d72fe8f16a4278822e742defe715911b Author: Jia Guo Date: Sun Oct 6 17:57:47 2019 -0700 ocfs2: clear zero in unaligned direct IO [ Upstream commit 7a243c82ea527cd1da47381ad9cd646844f3b693 ] Unused portion of a part-written fs-block-sized block is not set to zero in unaligned append direct write.This can lead to serious data inconsistencies. Ocfs2 manage disk with cluster size(for example, 1M), part-written in one cluster will change the cluster state from UN-WRITTEN to WRITTEN, VFS(function dio_zero_block) doesn’t do the cleaning because bh’s state is not set to NEW in function ocfs2_dio_wr_get_block when we write a WRITTEN cluster. For example, the cluster size is 1M, file size is 8k and we direct write from 14k to 15k, then 12k~14k and 15k~16k will contain dirty data. We have to deal with two cases: 1.The starting position of direct write is outside the file. 2.The starting position of direct write is located in the file. We need set bh’s state to NEW in the first case. In the second case, we need mapped twice because bh’s state of area out file should be set to NEW while area in file not. [[email protected]: coding style fixes] Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Jia Guo Reviewed-by: Yiwen Jiang Cc: Mark Fasheh Cc: Joel Becker Cc: Junxiao Bi Cc: Joseph Qi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 7ed7e30ca56ca3c95c0ce2f54df430354df0b8da Author: Boris Ostrovsky Date: Mon Sep 30 16:44:41 2019 -0400 x86/xen: Return from panic notifier [ Upstream commit c6875f3aacf2a5a913205accddabf0bfb75cac76 ] Currently execution of panic() continues until Xen’s panic notifier (xen_panic_event()) is called at which point we make a hypercall that never returns. This means that any notifier that is supposed to be called later as well as significant part of panic() code (such as pstore writes from kmsg_dump()) is never executed. There is no reason for xen_panic_event() to be this last point in execution since panic()‘s emergency_restart() will call into xen_emergency_restart() from where we can perform our hypercall. Nevertheless, we will provide xen_legacy_crash boot option that will preserve original behavior during crash. This option could be used, for example, if running kernel dumper (which happens after panic notifiers) is undesirable. Reported-by: James Dingwall Signed-off-by: Boris Ostrovsky Reviewed-by: Juergen Gross Signed-off-by: Sasha Levin commit 3876cf044811c05efd24352c7cf15f11f0b8a515 Author: Vincent Chen Date: Mon Sep 23 08:45:16 2019 +0800 riscv: Correct the handling of unexpected ebreak in do_trap_break() [ Upstream commit 8bb0daef64e5a92db63ad1d3bbf9e280a7b3612a ] For the kernel space, all ebreak instructions are determined at compile time because the kernel space debugging module is currently unsupported. Hence, it should be treated as a bug if an ebreak instruction which does not belong to BUG_TRAP_TYPE_WARN or BUG_TRAP_TYPE_BUG is executed in kernel space. For the userspace, debugging module or user problem may intentionally insert an ebreak instruction to trigger a SIGTRAP signal. To approach the above two situations, the do_trap_break() will direct the BUG_TRAP_TYPE_NONE ebreak exception issued in kernel space to die() and will send a SIGTRAP to the trapped process only when the ebreak is in userspace. Signed-off-by: Vincent Chen Reviewed-by: Christoph Hellwig [[email protected]: fixed checkpatch issue] Signed-off-by: Paul Walmsley Signed-off-by: Sasha Levin commit 50fc07843a61a8ea0f72af1490561261dd6254e2 Author: Vincent Chen Date: Mon Sep 23 08:45:15 2019 +0800 riscv: avoid sending a SIGTRAP to a user thread trapped in WARN() [ Upstream commit e0c0fc18f10d5080cddde0e81505fd3e952c20c4 ] On RISC-V, when the kernel runs code on behalf of a user thread, and the kernel executes a WARN() or WARN_ON(), the user thread will be sent a bogus SIGTRAP. Fix the RISC-V kernel code to not send a SIGTRAP when a WARN()/WARN_ON() is executed. Signed-off-by: Vincent Chen Reviewed-by: Christoph Hellwig [[email protected]: fixed subject] Signed-off-by: Paul Walmsley Signed-off-by: Sasha Levin commit e449496d23aa20affae2e39c268ec13f0c81e96f Author: Vincent Chen Date: Mon Sep 23 08:45:14 2019 +0800 riscv: avoid kernel hangs when trapped in BUG() [ Upstream commit 8b04825ed205da38754f86f4c07ea8600d8c2a65 ] When the CONFIG_GENERIC_BUG is disabled by disabling CONFIG_BUG, if a kernel thread is trapped by BUG(), the whole system will be in the loop that infinitely handles the ebreak exception instead of entering the die function. To fix this problem, the do_trap_break() will always call the die() to deal with the break exception as the type of break is BUG_TRAP_TYPE_BUG. Signed-off-by: Vincent Chen Reviewed-by: Christoph Hellwig Signed-off-by: Paul Walmsley Signed-off-by: Sasha Levin commit 2247d799b2dbfecc69c187851873905f89ca94ed Author: Thomas Bogendoerfer Date: Sun Oct 6 15:12:32 2019 +0200 MIPS: include: Mark __cmpxchg as __always_inline [ Upstream commit 88356d09904bc606182c625575237269aeece22e ] Commit ac7c3e4ff401 (“compiler: enable CONFIG_OPTIMIZE_INLINING forcibly”) allows compiler to uninline functions marked as ‘inline’. In cace of cmpxchg this would cause to reference function __cmpxchg_called_with_bad_pointer, which is a error case for catching bugs and will not happen for correct code, if __cmpxchg is inlined. Signed-off-by: Thomas Bogendoerfer [[email protected]: s/__cmpxchd/__cmpxchg in subject] Signed-off-by: Paul Burton Cc: Ralf Baechle Cc: James Hogan Cc: [email protected] Cc: [email protected] Signed-off-by: Sasha Levin commit e23f7a518c673b527457b1222dd02e89cffbefa1 Author: Dave Young Date: Wed Oct 2 18:59:04 2019 +0200 efi/x86: Do not clean dummy variable in kexec path [ Upstream commit 2ecb7402cfc7f22764e7bbc80790e66eadb20560 ] kexec reboot fails randomly in UEFI based KVM guest. The firmware just resets while calling efi_delete_dummy_variable(); Unfortunately I don’t know how to debug the firmware, it is also possible a potential problem on real hardware as well although nobody reproduced it. The intention of the efi_delete_dummy_variable is to trigger garbage collection when entering virtual mode. But SetVirtualAddressMap can only run once for each physical reboot, thus kexec_enter_virtual_mode() is not necessarily a good place to clean a dummy object. Drop the efi_delete_dummy_variable so that kexec reboot can work. Signed-off-by: Dave Young Signed-off-by: Ard Biesheuvel Acked-by: Matthew Garrett Cc: Ben Dooks Cc: Jarkko Sakkinen Cc: Jerry Snitselaar Cc: Linus Torvalds Cc: Lukas Wunner Cc: Lyude Paul Cc: Octavian Purdila Cc: Peter Jones Cc: Peter Zijlstra Cc: Scott Talbert Cc: Thomas Gleixner Cc: [email protected] Cc: [email protected] Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 7f6ee70600306756ac0122a184447743030b779a Author: Lukas Wunner Date: Wed Oct 2 18:58:58 2019 +0200 efi/cper: Fix endianness of PCIe class code [ Upstream commit 6fb9367a15d1a126d222d738b2702c7958594a5f ] The CPER parser assumes that the class code is big endian, but at least on this edk2-derived Intel Purley platform it’s little endian: efi: EFI v2.50 by EDK II BIOS ID:PLYDCRB1.86B.0119.R05.1701181843 DMI: Intel Corporation PURLEY/PURLEY, BIOS PLYDCRB1.86B.0119.R05.1701181843 01/18/2017 {1}[Hardware Error]: device_id: 0000:5d:00.0 {1}[Hardware Error]: slot: 0 {1}[Hardware Error]: secondary_bus: 0x5e {1}[Hardware Error]: vendor_id: 0x8086, device_id: 0x2030 {1}[Hardware Error]: class_code: 000406 ^^^^^^ (should be 060400) Signed-off-by: Lukas Wunner Signed-off-by: Ard Biesheuvel Cc: Ben Dooks Cc: Dave Young Cc: Jarkko Sakkinen Cc: Jerry Snitselaar Cc: Linus Torvalds Cc: Lyude Paul Cc: Matthew Garrett Cc: Octavian Purdila Cc: Peter Jones Cc: Peter Zijlstra Cc: Scott Talbert Cc: Thomas Gleixner Cc: [email protected] Cc: [email protected] Link: https://lkml.kernel.org/r/[email protected] Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 1cc874e69a6046b9f777b4d9303ac170906ae91b Author: Will Deacon Date: Fri Oct 4 15:44:45 2019 +0100 arm64: vdso32: Don’t use KBUILD_CPPFLAGS unconditionally [ Upstream commit c71e88c437962c1ec43d4d23a0ebf4c9cf9bee0d ] KBUILD_CPPFLAGS is defined differently depending on whether the main compiler is clang or not. This means that it is not possible to build the compat vDSO with GCC if the rest of the kernel is built with clang. Define VDSO_CPPFLAGS directly to break this dependency and allow a clang kernel to build a compat vDSO with GCC: $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- \ CROSS_COMPILE_COMPAT=arm-linux-gnueabihf- CC=clang \ COMPATCC=arm-linux-gnueabihf-gcc Acked-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 6c47a6ecc2ac7d8d46ea3afe0130dd20bdb29a23 Author: Will Deacon Date: Fri Oct 4 14:08:13 2019 +0100 arm64: Default to building compat vDSO with clang when CONFIG_CC_IS_CLANG [ Upstream commit 24ee01a927bfe56c66429ec4b1df6955a814adc8 ] Rather than force the use of GCC for the compat cross-compiler, instead extract the target from CROSS_COMPILE_COMPAT and pass it to clang if the main compiler is clang. Acked-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 622df2b29ba57809c83210f56451fa3cc6b1ec16 Author: Adam Ford Date: Sun Oct 6 11:33:12 2019 -0500 serial: 8250_omap: Fix gpio check for auto RTS/CTS [ Upstream commit fc64f7abbef2dae7ee4c94702fb3cf9a2be5431a ] There are two checks to see if the manual gpio is configured, but these the check is seeing if the structure is NULL instead it should check to see if there are CTS and/or RTS pins defined. This patch uses checks for those individual pins instead of checking for the structure itself to restore auto RTS/CTS. Signed-off-by: Adam Ford Reviewed-by: Yegor Yefremov Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 07d7a3e98c1048f2bfdbd250e8f87944b48f513e Author: Adam Ford Date: Sun Oct 6 11:33:11 2019 -0500 serial: mctrl_gpio: Check for NULL pointer [ Upstream commit 37e3ab00e4734acc15d96b2926aab55c894f4d9c ] When using mctrl_gpio_to_gpiod, it dereferences gpios into a single requested GPIO. This dereferencing can break if gpios is NULL, so this patch adds a NULL check before dereferencing it. If gpios is NULL, this function will also return NULL. Signed-off-by: Adam Ford Reviewed-by: Yegor Yefremov Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 531da3831c0272e5a09b7c20929a2b01978f868d Author: Vincenzo Frascino Date: Thu Oct 3 18:48:34 2019 +0100 arm64: vdso32: Detect binutils support for dmb ishld [ Upstream commit 0df2c90eba60791148cee1823c0bf5fc66e3465c ] Older versions of binutils (prior to 2.24) do not support the “ISHLD” option for memory barrier instructions, which leads to a build failure when assembling the vdso32 library. Add a compilation time mechanism that detects if binutils supports those instructions and configure the kernel accordingly. Cc: Will Deacon Cc: Catalin Marinas Reported-by: Will Deacon Signed-off-by: Vincenzo Frascino Reviewed-by: Catalin Marinas Tested-by: Catalin Marinas Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 818845bbcb4acb437cd6c7a4fe7bc2dad0da2cfa Author: Vincenzo Frascino Date: Thu Oct 3 18:48:33 2019 +0100 arm64: vdso32: Fix broken compat vDSO build warnings [ Upstream commit e0de01aafc3dd7b73308106b056ead2d48391905 ] The .config file and the generated include/config/auto.conf can end up out of sync after a set of commands since CONFIG_CROSS_COMPILE_COMPAT_VDSO is not updated correctly. The sequence can be reproduced as follows: $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- defconfig […] $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- menuconfig [set CONFIG_CROSS_COMPILE_COMPAT_VDSO="arm-linux-gnueabihf-"] $ make ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- Which results in: arch/arm64/Makefile:62: CROSS_COMPILE_COMPAT not defined or empty, the compat vDSO will not be built even though the compat vDSO has been built: $ file arch/arm64/kernel/vdso32/vdso.so arch/arm64/kernel/vdso32/vdso.so: ELF 32-bit LSB pie executable, ARM, EABI5 version 1 (SYSV), dynamically linked, BuildID[sha1]=c67f6c786f2d2d6f86c71f708595594aa25247f6, stripped A similar case that involves changing the configuration parameter multiple times can be reconducted to the same family of problems. Remove the use of CONFIG_CROSS_COMPILE_COMPAT_VDSO altogether and instead rely on the cross-compiler prefix coming from the environment via CROSS_COMPILE_COMPAT, much like we do for the rest of the kernel. Cc: Will Deacon Cc: Catalin Marinas Reported-by: Will Deacon Signed-off-by: Vincenzo Frascino Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 5ed0045f98d220b3332f80aa3fc07850778af65b Author: Austin Kim Date: Tue Oct 1 16:34:13 2019 +0900 fs: cifs: mute -Wunused-const-variable message [ Upstream commit dd19c106a36690b47bb1acc68372f2b472b495b8 ] After ‘Initial git repository build’ commit, ‘mapping_table_ERRHRD’ variable has not been used. So ‘mapping_table_ERRHRD’ const variable could be removed to mute below warning message: fs/cifs/netmisc.c:120:40: warning: unused variable ‘mapping_table_ERRHRD’ [-Wunused-const-variable] static const struct smb_to_posix_error mapping_table_ERRHRD[] = { ^ Signed-off-by: Austin Kim Signed-off-by: Steve French Signed-off-by: Sasha Levin commit 5ee735af141a2e569cfb2ac96851f3bca777e868 Author: Thierry Reding Date: Wed Oct 2 14:28:23 2019 +0200 gpio: max77620: Use correct unit for debounce times [ Upstream commit fffa6af94894126994a7600c6f6f09b892e89fa9 ] The gpiod_set_debounce() function takes the debounce time in microseconds. Adjust the switch/case values in the MAX77620 GPIO to use the correct unit. Signed-off-by: Thierry Reding Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 49df08ddbdb7211561a2b1e1ca66fa7b2ea20fb2 Author: Jason Gunthorpe Date: Tue Oct 1 12:38:21 2019 -0300 RDMA/mlx5: Add missing synchronize_srcu() for MW cases [ Upstream commit 0417791536ae1e28d7f0418f1d20048ec4d3c6cf ] While MR uses live as the SRCU ‘update’, the MW case uses the xarray directly, xa_erase() causes the MW to become inaccessible to the pagefault thread. Thus whenever a MW is removed from the xarray we must synchronize_srcu() before freeing it. This must be done before freeing the mkey as re-use of the mkey while the pagefault thread is using the stale mkey is undesirable. Add the missing synchronizes to MW and DEVX indirect mkey and delete the bogus protection against double destroy in mlx5_core_destroy_mkey() Fixes: 534fd7aac56a (“IB/mlx5: Manage indirection mkey upon DEVX flow for ODP”) Fixes: 6aec21f6a832 (“IB/mlx5: Page faults handling infrastructure”) Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Artemy Kovalyov Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 45df94c2ad281721db6021ba1466e642828505da Author: Jason Gunthorpe Date: Tue Oct 1 12:38:19 2019 -0300 RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu [ Upstream commit aa116b810ac9077a263ed8679fb4d595f180e0eb ] During destroy setting live = 0 and then synchronize_srcu() prevents num_pending_prefetch from incrementing, and also, ensures that all work holding that count is queued on the WQ. Testing before causes races of the form: CPU0 CPU1 dereg_mr() mlx5_ib_advise_mr_prefetch() srcu_read_lock() num_pending_prefetch_inc() if (!live) live = 0 atomic_read() == 0 // skip flush_workqueue() atomic_inc() queue_work(); srcu_read_unlock() WARN_ON(atomic_read()) // Fails Swap the order so that the synchronize_srcu() prevents this. Fixes: a6bc3875f176 (“IB/mlx5: Protect against prefetch of invalid MR”) Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Artemy Kovalyov Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit fb5e59a03021d8ce41ae290d4a5de62bd5bd8ff4 Author: Jason Gunthorpe Date: Tue Oct 1 12:38:16 2019 -0300 RDMA/mlx5: Do not allow rereg of a ODP MR [ Upstream commit 880505cfef1d086d18b59d2920eb2160429ffa1f ] This code is completely broken, the umem of a ODP MR simply cannot be discarded without a lot more locking, nor can an ODP mkey be blithely destroyed via destroy_mkey(). Fixes: 6aec21f6a832 (“IB/mlx5: Page faults handling infrastructure”) Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Artemy Kovalyov Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 2f3d47868302c12b85ba7837afdff4ea79ab564d Author: Leon Romanovsky Date: Wed Oct 2 14:56:27 2019 +0300 RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path [ Upstream commit 594e6c5d41ed2471ab0b90f3f0b66cdf618b7ac9 ] Properly unwind QP counter rebinding in case of failure. Trying to rebind the counter after unbiding it is not going to work reliably, move the unbind to the end so it doesn’t have to be unwound. Fixes: b389327df905 (“RDMA/nldev: Allow counter manual mode configration through RDMA netlink”) Link: https://lore.kernel.org/r/[email protected] Reviewed-by: Mark Zhang Signed-off-by: Leon Romanovsky Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit afc991db5c2f40f2b4a0b6a88c9f8920e022fa11 Author: Jack Morgenstein Date: Mon Sep 16 10:11:51 2019 +0300 RDMA/cm: Fix memory leak in cm_add/remove_one [ Upstream commit 94635c36f3854934a46d9e812e028d4721bbb0e6 ] In the process of moving the debug counters sysfs entries, the commit mentioned below eliminated the cm_infiniband sysfs directory. This sysfs directory was tied to the cm_port object allocated in procedure cm_add_one(). Before the commit below, this cm_port object was freed via a call to kobject_put(port->kobj) in procedure cm_remove_port_fs(). Since port no longer uses its kobj, kobject_put(port->kobj) was eliminated. This, however, meant that kfree was never called for the cm_port buffers. Fix this by adding explicit kfree(port) calls to functions cm_add_one() and cm_remove_one(). Note: the kfree call in the first chunk below (in the cm_add_one error flow) fixes an old, undetected memory leak. Fixes: c87e65cfb97c (“RDMA/cm: Move debug counters to be under relevant IB device”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Jack Morgenstein Signed-off-by: Leon Romanovsky Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 0e1d64ba772643c2bf316b20340a516f9dad8099 Author: Christophe JAILLET Date: Sun Aug 18 11:10:44 2019 +0200 RDMA/core: Fix an error handling path in ‘res_get_common_doit()' [ Upstream commit ab59ca3eb4e7059727df85eee68bda169d26c8f8 ] According to surrounding error paths, it is likely that ‘goto err_get;’ is expected here. Otherwise, a call to ‘rdma_restrack_put(res);’ would be missing. Fixes: c5dfe0ea6ffa (“RDMA/nldev: Add resource tracker doit callback”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Christophe JAILLET Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 5de5b6d281c2e2549030b2be1824a5033154a504 Author: Navid Emamdoost Date: Wed Sep 25 10:27:41 2019 -0500 misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach [ Upstream commit fc739a058d99c9297ef6bfd923b809d85855b9a9 ] In fastrpc_dma_buf_attach if dma_get_sgtable fails the allocated memory for a should be released. Signed-off-by: Navid Emamdoost Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit ddcc1b52fc13b5ce74d6c5c3e8a45b9dec2219fb Author: Randy Dunlap Date: Mon Sep 30 19:15:12 2019 -0700 tty: n_hdlc: fix build on SPARC [ Upstream commit 47a7e5e97d4edd7b14974d34f0e5a5560fad2915 ] Fix tty driver build on SPARC by not using __exitdata. It appears that SPARC does not support section .exit.data. Fixes these build errors: `.exit.data’ referenced in section `.exit.text’ of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data’ of drivers/tty/n_hdlc.o `.exit.data’ referenced in section `.exit.text’ of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data’ of drivers/tty/n_hdlc.o `.exit.data’ referenced in section `.exit.text’ of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data’ of drivers/tty/n_hdlc.o `.exit.data’ referenced in section `.exit.text’ of drivers/tty/n_hdlc.o: defined in discarded section `.exit.data’ of drivers/tty/n_hdlc.o Reported-by: kbuild test robot Fixes: 063246641d4a (“format-security: move static strings to const”) Signed-off-by: Randy Dunlap Cc: Kees Cook Cc: Greg Kroah-Hartman Cc: “David S. Miller” Cc: Andrew Morton Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 3861c567287dc3f047f44945d3cacc69d1860863 Author: Christoph Hellwig Date: Tue Sep 10 07:59:23 2019 +0200 serial/sifive: select SERIAL_EARLYCON [ Upstream commit 7e2a165de5a52003d10a611ee3884cdb5c44e8cd ] The sifive serial driver implements earlycon support, but unless another driver is built in that supports earlycon support it won’t be usable. Explicitly select SERIAL_EARLYCON instead. Signed-off-by: Christoph Hellwig Reviewed-by: Paul Walmsley Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 26845a7b3fc104e891389a158f6dc807f489a170 Author: Christophe JAILLET Date: Tue Sep 10 06:17:02 2019 +0200 tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()' [ Upstream commit 5080d127127ac5b610b57900774d9559ae55e817 ] ‘exit’ functions should be marked as __exit, not __init. Fixes: c10b13325ced (“tty: serial: Add RDA8810PL UART driver”) Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 31401d9f53a14f7f3f0256f45c0a6f914702c9cb Author: Christophe JAILLET Date: Tue Sep 10 06:11:29 2019 +0200 tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()' [ Upstream commit 6264dab6efd6069f0387efb078a9960b5642377b ] ‘exit’ functions should be marked as __exit, not __init. Fixes: fc60a8b675bd (“tty: serial: owl: Implement console driver”) Signed-off-by: Christophe JAILLET Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 95eee3708ce7aa23214e15e35a2f244d2c76361a Author: James Morse Date: Wed Oct 2 10:49:35 2019 +0100 arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419 [ Upstream commit dd8a1f13488438c6c220b7cafa500baaf21a6e53 ] CPUs affected by Neoverse-N1 #1542419 may execute a stale instruction if it was recently modified. The affected sequence requires freshly written instructions to be executable before a branch to them is updated. There are very few places in the kernel that modify executable text, all but one come with sufficient synchronisation: * The module loader’s flush_module_icache() calls flush_icache_range(), which does a kick_all_cpus_sync() * bpf_int_jit_compile() calls flush_icache_range(). * Kprobes calls aarch64_insn_patch_text(), which does its work in stop_machine(). * static keys and ftrace both patch between nops and branches to existing kernel code (not generated code). The affected sequence is the interaction between ftrace and modules. The module PLT is cleaned using __flush_icache_range() as the trampoline shouldn’t be executable until we update the branch to it. Drop the double-underscore so that this path runs kick_all_cpus_sync() too. Signed-off-by: James Morse Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 13042e3bfdf5fe415072f9afdc7ae563d9b4b1a4 Author: James Morse Date: Thu Oct 3 18:01:27 2019 +0100 arm64: Fix incorrect irqflag restore for priority masking for compat [ Upstream commit f46f27a576cc3b1e3d45ea50bc06287aa46b04b2 ] Commit bd82d4bd2188 (“arm64: Fix incorrect irqflag restore for priority masking”) added a macro to the entry.S call paths that leave the PSTATE.I bit set. This tells the pPNMI masking logic that interrupts are masked by the CPU, not by the PMR. This value is read back by local_daif_save(). Commit bd82d4bd2188 added this call to el0_svc, as el0_svc_handler is called with interrupts masked. el0_svc_compat was missed, but should be covered in the same way as both of these paths end up in el0_svc_common(), which expects to unmask interrupts. Fixes: bd82d4bd2188 (“arm64: Fix incorrect irqflag restore for priority masking”) Signed-off-by: James Morse Cc: Julien Thierry Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 941d7d289345cc9c4b15f74020343b319ea5f0fd Author: Julien Grall Date: Thu Oct 3 12:12:08 2019 +0100 arm64: cpufeature: Effectively expose FRINT capability to userspace [ Upstream commit 7230f7e99fecc684180322b056fad3853d1029d3 ] The HWCAP framework will detect a new capability based on the sanitized version of the ID registers. Sanitization is based on a whitelist, so any field not described will end up to be zeroed. At the moment, ID_AA64ISAR1_EL1.FRINTTS is not described in ftr_id_aa64isar1. This means the field will be zeroed and therefore the userspace will not be able to see the HWCAP even if the hardware supports the feature. This can be fixed by describing the field in ftr_id_aa64isar1. Fixes: ca9503fc9e98 (“arm64: Expose FRINT capabilities to userspace”) Signed-off-by: Julien Grall Cc: [email protected] Signed-off-by: Will Deacon Signed-off-by: Sasha Levin commit 7cf53aa7c03db767909beefa32143b8042837578 Author: ZhangXiaoxu Date: Thu Sep 26 14:29:38 2019 +0800 nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request [ Upstream commit 33ea5aaa87cdae0f9af4d6b7ee4f650a1a36fd1d ] When xfstests testing, there are some WARNING as below: WARNING: CPU: 0 PID: 6235 at fs/nfs/inode.c:122 nfs_clear_inode+0x9c/0xd8 Modules linked in: CPU: 0 PID: 6235 Comm: umount.nfs Hardware name: linux,dummy-virt (DT) pstate: 60000005 (nZCv daif -PAN -UAO) pc : nfs_clear_inode+0x9c/0xd8 lr : nfs_evict_inode+0x60/0x78 sp : fffffc000f68fc00 x29: fffffc000f68fc00 x28: fffffe00c53155c0 x27: fffffe00c5315000 x26: fffffc0009a63748 x25: fffffc000f68fd18 x24: fffffc000bfaaf40 x23: fffffc000936d3c0 x22: fffffe00c4ff5e20 x21: fffffc000bfaaf40 x20: fffffe00c4ff5d10 x19: fffffc000c056000 x18: 000000000000003c x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000040 x14: 0000000000000228 x13: fffffc000c3a2000 x12: 0000000000000045 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : fffffc00084b027c x5 : fffffc0009a64000 x4 : fffffe00c0e77400 x3 : fffffc000c0563a8 x2 : fffffffffffffffb x1 : 000000000000764e x0 : 0000000000000001 Call trace: nfs_clear_inode+0x9c/0xd8 nfs_evict_inode+0x60/0x78 evict+0x108/0x380 dispose_list+0x70/0xa0 evict_inodes+0x194/0x210 generic_shutdown_super+0xb0/0x220 nfs_kill_super+0x40/0x88 deactivate_locked_super+0xb4/0x120 deactivate_super+0x144/0x160 cleanup_mnt+0x98/0x148 __cleanup_mnt+0x38/0x50 task_work_run+0x114/0x160 do_notify_resume+0x2f8/0x308 work_pending+0x8/0x14 The nrequest should be increased/decreased only if PG_INODE_REF flag was setted. But in the nfs_inode_remove_request function, it maybe decrease when no PG_INODE_REF flag, this maybe lead nrequests count error. Reported-by: Hulk Robot Signed-off-by: ZhangXiaoxu Signed-off-by: Anna Schumaker Signed-off-by: Sasha Levin commit 28c289a83d1bbdf8ce74601931d4749016637cf7 Author: Kees Cook Date: Thu Sep 19 11:06:44 2019 -0700 selftests/kselftest/runner.sh: Add 45 second timeout per test [ Upstream commit 852c8cbf34d3b3130a05c38064dd98614f97d3a8 ] Commit a745f7af3cbd (“selftests/harness: Add 30 second timeout per test”) solves the problem of kselftest_harness.h-using binary tests possibly hanging forever. However, scripts and other binaries can still hang forever. This adds a global timeout to each test script run. To make this configurable (e.g. as needed in the “rtc” test case), include a new per-test-directory “settings” file (similar to “config”) that can contain kselftest-specific settings. The first recognized field is “timeout". Additionally, this splits the reporting for timeouts into a specific “TIMEOUT” not-ok (and adds exit code reporting in the remaining case). Signed-off-by: Kees Cook Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 4807934211330b9e0da58d62bfe9783ae935b150 Author: Cristian Marussi Date: Thu Sep 26 18:52:19 2019 +0100 kselftest: exclude failed TARGETS from runlist [ Upstream commit 131b30c94fbc0adb15f911609884dd39dada8f00 ] A TARGET which failed to be built/installed should not be included in the runlist generated inside the run_kselftest.sh script. Signed-off-by: Cristian Marussi Signed-off-by: Shuah Khan Signed-off-by: Sasha Levin commit 230c3b901f08bb9ac0d01136e8c28879af1aeb8e Author: Dexuan Cui Date: Tue Aug 20 02:56:34 2019 +0000 HID: hyperv: Use in-place iterator API in the channel callback [ Upstream commit 6a297c90efa68b2864483193b8bfb0d19478600c ] Simplify the ring buffer handling with the in-place API. Also avoid the dynamic allocation and the memory leak in the channel callback function. Signed-off-by: Dexuan Cui Acked-by: Jiri Kosina Signed-off-by: Sasha Levin commit 73a019e474c9cc796ee673276ec044de943bedff Author: Bart Van Assche Date: Mon Sep 30 16:16:54 2019 -0700 RDMA/iwcm: Fix a lock inversion issue [ Upstream commit b66f31efbdad95ec274345721d99d1d835e6de01 ] This patch fixes the lock inversion complaint: ============================================ WARNING: possible recursive locking detected 5.3.0-rc7-dbg+ #1 Not tainted -------------------------------------------- kworker/u16:6/171 is trying to acquire lock: 00000000035c6e6c (&id_priv->handler_mutex){+.+.}, at: rdma_destroy_id+0x78/0x4a0 [rdma_cm] but task is already holding lock: 00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm] other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(&id_priv->handler_mutex); lock(&id_priv->handler_mutex); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kworker/u16:6/171: #0: 00000000e2eaa773 ((wq_completion)iw_cm_wq){+.+.}, at: process_one_work+0x472/0xac0 #1: 000000001efd357b ((work_completion)(&work->work)#3){+.+.}, at: process_one_work+0x476/0xac0 #2: 00000000bc7c307d (&id_priv->handler_mutex){+.+.}, at: iw_conn_req_handler+0x151/0x680 [rdma_cm] stack backtrace: CPU: 3 PID: 171 Comm: kworker/u16:6 Not tainted 5.3.0-rc7-dbg+ #1 Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 Workqueue: iw_cm_wq cm_work_handler [iw_cm] Call Trace: dump_stack+0x8a/0xd6 __lock_acquire.cold+0xe1/0x24d lock_acquire+0x106/0x240 __mutex_lock+0x12e/0xcb0 mutex_lock_nested+0x1f/0x30 rdma_destroy_id+0x78/0x4a0 [rdma_cm] iw_conn_req_handler+0x5c9/0x680 [rdma_cm] cm_work_handler+0xe62/0x1100 [iw_cm] process_one_work+0x56d/0xac0 worker_thread+0x7a/0x5d0 kthread+0x1bc/0x210 ret_from_fork+0x24/0x30 This is not a bug as there are actually two lock classes here. Link: https://lore.kernel.org/r/[email protected] Fixes: de910bd92137 (“RDMA/cma: Simplify locking needed for serialization of callbacks”) Signed-off-by: Bart Van Assche Reviewed-by: Jason Gunthorpe Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit d51a30e294df5d2dd89d732eac65a2c1aa9b1675 Author: Potnuri Bharat Teja Date: Mon Sep 30 13:11:19 2019 +0530 RDMA/iw_cxgb4: fix SRQ access from dump_qp() [ Upstream commit 91724c1e5afe45b64970036170659726e7dc5cff ] dump_qp() is wrongly trying to dump SRQ structures as QP when SRQ is used by the application. This patch matches the QPID before dumping them. Also removes unwanted SRQ id addition to QP id xarray. Fixes: 2f43129127e6 (“cxgb4: Convert qpidr to XArray”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Rahul Kundu Signed-off-by: Potnuri Bharat Teja Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 933a1d0b6c7557d116fad31110a30ec08e99078b Author: Navid Emamdoost Date: Wed Sep 25 09:45:42 2019 -0500 RDMA/hfi1: Prevent memory leak in sdma_init [ Upstream commit 34b3be18a04ecdc610aae4c48e5d1b799d8689f6 ] In sdma_init if rhashtable_init fails the allocated memory for tmp_sdma_rht should be released. Fixes: 5a52a7acf7e2 (“IB/hfi1: NULL pointer dereference when freeing rhashtable”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Navid Emamdoost Acked-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 4d1cf46a19f4c3b1c17cda8e527937b72edc4435 Author: Krishnamraju Eraparaju Date: Mon Sep 23 15:41:12 2019 +0530 RDMA/siw: Fix serialization issue in write_space() [ Upstream commit df791c54d627bae53c9be3be40a69594c55de487 ] In siw_qp_llp_write_space(), ‘sock’ members should be accessed with sk_callback_lock held, otherwise, it could race with siw_sk_restore_upcalls(). And this could cause “NULL deref” panic. Below panic is due to the NULL cep returned from sk_to_cep(sk): Call Trace: siw_qp_llp_write_space+0x11/0x40 [siw] tcp_check_space+0x4c/0xf0 tcp_rcv_established+0x52b/0x630 tcp_v4_do_rcv+0xf4/0x1e0 tcp_v4_rcv+0x9b8/0xab0 ip_protocol_deliver_rcu+0x2c/0x1c0 ip_local_deliver_finish+0x44/0x50 ip_local_deliver+0x6b/0xf0 ? ip_protocol_deliver_rcu+0x1c0/0x1c0 ip_rcv+0x52/0xd0 ? ip_rcv_finish_core.isra.14+0x390/0x390 __netif_receive_skb_one_core+0x83/0xa0 netif_receive_skb_internal+0x73/0xb0 napi_gro_frags+0x1ff/0x2b0 t4_ethrx_handler+0x4a7/0x740 [cxgb4] process_responses+0x2c9/0x590 [cxgb4] ? t4_sge_intr_msix+0x1d/0x30 [cxgb4] ? handle_irq_event_percpu+0x51/0x70 ? handle_irq_event+0x41/0x60 ? handle_edge_irq+0x97/0x1a0 napi_rx_handler+0x14/0xe0 [cxgb4] net_rx_action+0x2af/0x410 __do_softirq+0xda/0x2a8 do_softirq_own_stack+0x2a/0x40 do_softirq+0x50/0x60 __local_bh_enable_ip+0x50/0x60 ip_finish_output2+0x18f/0x520 ip_output+0x6e/0xf0 ? __ip_finish_output+0x1f0/0x1f0 __ip_queue_xmit+0x14f/0x3d0 ? __slab_alloc+0x4b/0x58 __tcp_transmit_skb+0x57d/0xa60 tcp_write_xmit+0x23b/0xfd0 __tcp_push_pending_frames+0x2e/0xf0 tcp_sendmsg_locked+0x939/0xd50 tcp_sendmsg+0x27/0x40 sock_sendmsg+0x57/0x80 siw_tx_hdt+0x894/0xb20 [siw] ? find_busiest_group+0x3e/0x5b0 ? common_interrupt+0xa/0xf ? common_interrupt+0xa/0xf ? common_interrupt+0xa/0xf siw_qp_sq_process+0xf1/0xe60 [siw] ? __wake_up_common_lock+0x87/0xc0 siw_sq_resume+0x33/0xe0 [siw] siw_run_sq+0xac/0x190 [siw] ? remove_wait_queue+0x60/0x60 kthread+0xf8/0x130 ? siw_sq_resume+0xe0/0xe0 [siw] ? kthread_bind+0x10/0x10 ret_from_fork+0x35/0x40 Fixes: f29dd55b0236 (“rdma/siw: queue pair methods”) Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Krishnamraju Eraparaju Reviewed-by: Bernard Metzler Signed-off-by: Jason Gunthorpe Signed-off-by: Sasha Levin commit 380d065b0c79f8ec04978d52d8d012d4c9d3312c Author: Connor Kuehl Date: Fri Sep 27 14:44:15 2019 -0700 staging: rtl8188eu: fix null dereference when kzalloc fails [ Upstream commit 955c1532a34305f2f780b47f0c40cc7c65500810 ] If kzalloc() returns NULL, the error path doesn’t stop the flow of control from entering rtw_hal_read_chip_version() which dereferences the null pointer. Fix this by adding a ‘goto’ to the error path to more gracefully handle the issue and avoid proceeding with initialization steps that we’re no longer prepared to handle. Also update the debug message to be more consistent with the other debug messages in this function. Addresses-Coverity: (“Dereference after null check”) Signed-off-by: Connor Kuehl Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin commit 296b5ca33c15c14feddfbcca8cc520156890795d Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 16:04:21 2019 -0300 perf annotate: Don’t return -1 for error when doing BPF disassembly [ Upstream commit 11aad897f6d1a28eae3b7e5b293647c522d65819 ] Return errno when open_memstream() fails and add two new speciall error codes for when an invalid, non BPF file or one without BTF is passed to symbol__disassemble_bpf(), so that its callers can rely on symbol__strerror_disassemble() to convert that to a human readable error message that can help figure out what is wrong, with hints even. Cc: Russell King - ARM Linux admin Cc: Song Liu Cc: Alexei Starovoitov Cc: Daniel Borkmann Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra , Cc: Will Deacon Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 60e3bfabf37b42a367aa08ceb9efe7077908a6ce Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 15:53:33 2019 -0300 perf annotate: Return appropriate error code for allocation failures [ Upstream commit 16ed3c1e91159e28b02f11f71ff4ce4cbc6f99e4 ] We should return errno or the annotation extra range understood by symbol__strerror_disassemble() instead of -1, fix it, returning ENOMEM instead. Reported-by: Russell King - ARM Linux admin Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra , Cc: Will Deacon Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1551ed0aca3c4d529b0b49b1b7b10778bd60b356 Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 15:48:12 2019 -0300 perf annotate: Fix arch specific ->init() failure errors [ Upstream commit 42d7a9107d83223a5fcecc6732d626a6c074cbc2 ] They are called from symbol__annotate() and to propagate errors that can help understand the problem make them return what symbol__strerror_disassemble() known, i.e. errno codes and other annotation specific errors in a special, out of errnos, range. Reported-by: Russell King - ARM Linux admin Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra , Cc: Will Deacon Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit fa25b88e90717445eebf13159f94c07a9e8ccd69 Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 15:44:13 2019 -0300 perf annotate: Propagate the symbol__annotate() error return [ Upstream commit 211f493b611eef012841f795166c38ec7528738d ] We were just returning -1 in symbol__annotate() when symbol__annotate() failed, propagate its error as it is used later to pass to symbol__strerror_disassemble() to present a error message to the user, that in some cases were getting: “Invalid -1 error code” Fix it to propagate the error. Reported-by: Russell King - ARM Linux admin Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra , Cc: Will Deacon Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 0137a982d12322da484c895c492189ecf81d8c2d Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 15:11:47 2019 -0300 perf annotate: Fix the signedness of failure returns [ Upstream commit 28f4417c3333940b242af03d90214f713bbef232 ] Callers of symbol__annotate() expect a errno value or some other extended error value range in symbol__strerror_disassemble() to convert to a proper error string, fix it when propagating a failure to find the arch specific annotation routines via arch__find(arch_name). Reported-by: Russell King - ARM Linux admin Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra , Cc: Will Deacon Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 87a4b84a353b28260c22e2b285c925b0c1689e5d Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 15:06:01 2019 -0300 perf annotate: Propagate perf_env__arch() error [ Upstream commit a66fa0619a0ae3585ef09e9c33ecfb5c7c6cb72b ] The callers of symbol__annotate2() use symbol__strerror_disassemble() to convert its failure returns into a human readable string, so propagate error values from functions it calls, starting with perf_env__arch() that when fails the right thing to do is to look at ‘errno’ to see why its possible call to uname() failed. Reported-by: Russell King - ARM Linux admin Cc: Adrian Hunter Cc: Alexander Shishkin Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra , Cc: Will Deacon Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 1a13e23ce532fefb5150754476ad15cab737473f Author: Arnaldo Carvalho de Melo Date: Mon Sep 30 10:55:34 2019 -0300 perf tools: Propagate get_cpuid() error [ Upstream commit f67001a4a08eb124197ed4376941e1da9cf94b42 ] For consistency, propagate the exact cause for get_cpuid() to have failed. Cc: Adrian Hunter Cc: Jiri Olsa Cc: Namhyung Kim Link: https://lkml.kernel.org/n/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit b9d722e830dd2b77ff915d43fdf9a1dc629a00cd Author: Andi Kleen Date: Fri Sep 27 16:35:45 2019 -0700 perf jevents: Fix period for Intel fixed counters [ Upstream commit 6bdfd9f118bd59cf0f85d3bf4b72b586adea17c1 ] The Intel fixed counters use a special table to override the JSON information. During this override the period information from the JSON file got dropped, which results in inst_retired.any and similar running with frequency mode instead of a period. Just specify the expected period in the table. Signed-off-by: Andi Kleen Cc: Jiri Olsa Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit afa21792e5e7d8c37ef0d4614df5fe231d42690b Author: Andi Kleen Date: Fri Sep 27 16:35:44 2019 -0700 perf script brstackinsn: Fix recovery from LBR/binary mismatch [ Upstream commit e98df280bc2a499fd41d7f9e2d6733884de69902 ] When the LBR data and the instructions in a binary do not match the loop printing instructions could get confused and print a long stream of bogus instructions. The problem was that if the instruction decoder cannot decode an instruction it ilen wasn’t initialized, so the loop going through the basic block would continue with the previous value. Harden the code to avoid such problems: - Make sure ilen is always freshly initialized and is 0 for bad instructions. - Do not overrun the code buffer while printing instructions - Print a warning message if the final jump is not on an instruction boundary. Signed-off-by: Andi Kleen Cc: Jiri Olsa Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit c9220fbe774f6a8e2538c4e21af5522bd6e25cc1 Author: Steve MacLean Date: Sat Sep 28 01:39:00 2019 +0000 perf map: Fix overlapped map handling [ Upstream commit ee212d6ea20887c0ef352be8563ca13dbf965906 ] Whenever an mmap/mmap2 event occurs, the map tree must be updated to add a new entry. If a new map overlaps a previous map, the overlapped section of the previous map is effectively unmapped, but the non-overlapping sections are still valid. maps__fixup_overlappings() is responsible for creating any new map entries from the previously overlapped map. It optionally creates a before and an after map. When creating the after map the existing code failed to adjust the map.pgoff. This meant the new after map would incorrectly calculate the file offset for the ip. This results in incorrect symbol name resolution for any ip in the after region. Make maps__fixup_overlappings() correctly populate map.pgoff. Add an assert that new mapping matches old mapping at the beginning of the after map. Committer-testing: Validated correct parsing of libcoreclr.so symbols from .NET Core 3.0 preview9 (which didn’t strip symbols). Preparation: ~/dotnet3.0-preview9/dotnet new webapi -o perfSymbol cd perfSymbol ~/dotnet3.0-preview9/dotnet publish perf record ~/dotnet3.0-preview9/dotnet \ bin/Debug/netcoreapp3.0/publish/perfSymbol.dll ^C Before: perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\ grep libcoreclr.so | head -n 4 dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \ [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \ r-xp …/3.0.0-preview9-19423-09/libcoreclr.so dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \ [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \ rwxp …/3.0.0-preview9-19423-09/libcoreclr.so dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \ [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \ rwxp …/3.0.0-preview9-19423-09/libcoreclr.so dotnet 1907 373352.705249: 250000 cpu-clock: \ 7fe6159a1f99 [unknown] \ (…/3.0.0-preview9-19423-09/libcoreclr.so) After: perf script --show-mmap-events 2>&1 | grep -e MMAP -e unknown |\ grep libcoreclr.so | head -n 4 dotnet 1907 373352.698780: PERF_RECORD_MMAP2 1907/1907: \ [0x7fe615726000(0x768000) @ 0 08:02 5510620 765057155]: \ r-xp …/3.0.0-preview9-19423-09/libcoreclr.so dotnet 1907 373352.701091: PERF_RECORD_MMAP2 1907/1907: \ [0x7fe615974000(0x1000) @ 0x24e000 08:02 5510620 765057155]: \ rwxp …/3.0.0-preview9-19423-09/libcoreclr.so dotnet 1907 373352.701241: PERF_RECORD_MMAP2 1907/1907: \ [0x7fe615c42000(0x1000) @ 0x51c000 08:02 5510620 765057155]: \ rwxp …/3.0.0-preview9-19423-09/libcoreclr.so All the [unknown] symbols were resolved. Signed-off-by: Steve MacLean Tested-by: Brian Robbins Acked-by: Jiri Olsa Cc: Alexander Shishkin Cc: Andi Kleen Cc: Davidlohr Bueso Cc: Eric Saint-Etienne Cc: John Keeping Cc: John Salem Cc: Leo Yan Cc: Mark Rutland Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Song Liu Cc: Stephane Eranian Cc: Tom McDonald Link: http://lore.kernel.org/lkml/BN8PR21MB136270949F22A6A02335C238F7800@BN8PR21MB1362.namprd21.prod.outlook.com Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 5a72869bf2800b484f3c272d60f8db19c313a2de Author: Ian Rogers Date: Wed Sep 25 12:59:24 2019 -0700 perf tests: Avoid raising SEGV using an obvious NULL dereference [ Upstream commit e3e2cf3d5b1fe800b032e14c0fdcd9a6fb20cf3b ] An optimized build such as: make -C tools/perf CLANG=1 CC=clang EXTRA_CFLAGS=”-O3 will turn the dereference operation into a ud2 instruction, raising a SIGILL rather than a SIGSEGV. Use raise(…) for correctness and clarity. Similar issues were addressed in Numfor Mbiziwo-Tiapo’s patch: https://lkml.org/lkml/2019/7/8/1234 Committer testing: Before: [root@quaco ~]# perf test hooks 55: perf hooks : Ok [root@quaco ~]# perf test -v hooks 55: perf hooks : — start — test child forked, pid 17092 SIGSEGV is observed as expected, try to recover. Fatal error (SEGFAULT) in perf hook ‘test’ test child finished with 0 ---- end ---- perf hooks: Ok [root@quaco ~]# After: [root@quaco ~]# perf test hooks 55: perf hooks : Ok [root@quaco ~]# perf test -v hooks 55: perf hooks : — start — test child forked, pid 17909 SIGSEGV is observed as expected, try to recover. Fatal error (SEGFAULT) in perf hook ‘test’ test child finished with 0 ---- end ---- perf hooks: Ok [root@quaco ~]# Fixes: a074865e60ed (“perf tools: Introduce perf hooks”) Signed-off-by: Ian Rogers Tested-by: Arnaldo Carvalho de Melo Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Wang Nan Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 38f16fc43330a0854d44cad935c8e89a558a894a Author: Ian Rogers Date: Wed Sep 25 12:59:23 2019 -0700 libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature [ Upstream commit 4b0b2b096da9d296e0e5668cdfba8613bd6f5bc8 ] Unconditionally defining _FORTIFY_SOURCE can break tools that don’t work with it, such as memory sanitizers: https://github.com/google/sanitizers/wiki/AddressSanitizer#faq Fixes: 4b6ab94eabe4 (“perf subcmd: Create subcmd library”) Signed-off-by: Ian Rogers Cc: Alexander Shishkin Cc: Andi Kleen Cc: Jiri Olsa Cc: Josh Poimboeuf Cc: Namhyung Kim Cc: Peter Zijlstra Cc: Stephane Eranian Link: http://lore.kernel.org/lkml/[email protected] Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Sasha Levin commit 175070fcf221b7189ffe118396f47ba8333a4f7a Author: Pascal Bouwmann Date: Thu Aug 29 07:29:41 2019 +0200 iio: fix center temperature of bmc150-accel-core [ Upstream commit 6c59a962e081df6d8fe43325bbfabec57e0d4751 ] The center temperature of the supported devices stored in the constant BMC150_ACCEL_TEMP_CENTER_VAL is not 24 degrees but 23 degrees. It seems that some datasheets were inconsistent on this value leading to the error. For most usecases will only make minor difference so not queued for stable. Signed-off-by: Pascal Bouwmann Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 026e312506e40cc0107187b3f381d72468d8cfad Author: Remi Pommarel Date: Sun Sep 1 12:54:10 2019 +0200 iio: adc: meson_saradc: Fix memory allocation order [ Upstream commit de10ac47597e7a3596b27631d0d5ce5f48d2c099 ] meson_saradc’s irq handler uses priv->regmap so make sure that it is allocated before the irq get enabled. This also fixes crash when CONFIG_DEBUG_SHIRQ is enabled, as device managed resources are freed in the inverted order they had been allocated, priv->regmap was freed before the spurious fake irq that CONFIG_DEBUG_SHIRQ adds called the handler. Fixes: 3af109131b7eb8 (“iio: adc: meson-saradc: switch from polling to interrupt mode”) Reported-by: Elie Roudninski Signed-off-by: Remi Pommarel Reviewed-by: Martin Blumenstingl Tested-by: Elie ROUDNINSKI Reviewed-by: Kevin Hilman Signed-off-by: Jonathan Cameron Signed-off-by: Sasha Levin commit 437c09d9b774247cce8885102efa69b329f0da8b Author: Qu Wenruo Date: Mon Oct 14 14:34:51 2019 +0800 btrfs: qgroup: Always free PREALLOC META reserve in btrfs_delalloc_release_extents() [ Upstream commit 8702ba9396bf7bbae2ab93c94acd4bd37cfa4f09 ] [Background] Btrfs qgroup uses two types of reserved space for METADATA space, PERTRANS and PREALLOC. PERTRANS is metadata space reserved for each transaction started by btrfs_start_transaction(). While PREALLOC is for delalloc, where we reserve space before joining a transaction, and finally it will be converted to PERTRANS after the writeback is done. [Inconsistency] However there is inconsistency in how we handle PREALLOC metadata space. The most obvious one is: In btrfs_buffered_write(): btrfs_delalloc_release_extents(BTRFS_I(inode), reserve_bytes, true); We always free qgroup PREALLOC meta space. While in btrfs_truncate_block(): btrfs_delalloc_release_extents(BTRFS_I(inode), blocksize, (ret != 0)); We only free qgroup PREALLOC meta space when something went wrong. [The Correct Behavior] The correct behavior should be the one in btrfs_buffered_write(), we should always free PREALLOC metadata space. The reason is, the btrfs_delalloc_* mechanism works by: - Reserve metadata first, even it’s not necessary In btrfs_delalloc_reserve_metadata() - Free the unused metadata space Normally in: btrfs_delalloc_release_extents() |- btrfs_inode_rsv_release() Here we do calculation on whether we should release or not. E.g. for 64K buffered write, the metadata rsv works like: /* The first page */ reserve_meta: num_bytes=calc_inode_reservations() free_meta: num_bytes=0 total: num_bytes=calc_inode_reservations() /* The first page caused one outstanding extent, thus needs metadata rsv */ /* The 2nd page */ reserve_meta: num_bytes=calc_inode_reservations() free_meta: num_bytes=calc_inode_reservations() total: not changed /* The 2nd page doesn’t cause new outstanding extent, needs no new meta rsv, so we free what we have reserved */ /* The 3rd~16th pages */ reserve_meta: num_bytes=calc_inode_reservations() free_meta: num_bytes=calc_inode_reservations() total: not changed (still space for one outstanding extent) This means, if btrfs_delalloc_release_extents() determines to free some space, then those space should be freed NOW. So for qgroup, we should call btrfs_qgroup_free_meta_prealloc() other than btrfs_qgroup_convert_reserved_meta(). The good news is: - The callers are not that hot The hottest caller is in btrfs_buffered_write(), which is already fixed by commit 336a8bb8e36a (“btrfs: Fix wrong btrfs_delalloc_release_extents parameter”). Thus it’s not that easy to cause false EDQUOT. - The trans commit in advance for qgroup would hide the bug Since commit f5fef4593653 (“btrfs: qgroup: Make qgroup async transaction commit more aggressive”), when btrfs qgroup metadata free space is slow, it will try to commit transaction and free the wrongly converted PERTRANS space, so it’s not that easy to hit such bug. [FIX] So to fix the problem, remove the @qgroup_free parameter for btrfs_delalloc_release_extents(), and always pass true to btrfs_inode_rsv_release(). Reported-by: Filipe Manana Fixes: 43b18595d660 (“btrfs: qgroup: Use separate meta reservation type for delalloc”) CC: [email protected] # 4.19+ Reviewed-by: Filipe Manana Signed-off-by: Qu Wenruo Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 5686abf8a2b6d4e995041dd59651f9bdd2570735 Author: Filipe Manana Date: Thu Jul 4 16:24:19 2019 +0100 Btrfs: fix inode cache block reserve leak on failure to allocate data space [ Upstream commit 29d47d00e0ae61668ee0c5d90bef2893c8abbafa ] If we failed to allocate the data extent(s) for the inode space cache, we were bailing out without releasing the previously reserved metadata. This was triggering the following warnings when unmounting a filesystem: $ cat -n fs/btrfs/inode.c (…) 9268 void btrfs_destroy_inode(struct inode *inode) 9269 { (…) 9276 WARN_ON(BTRFS_I(inode)->block_rsv.reserved); 9277 WARN_ON(BTRFS_I(inode)->block_rsv.size); (…) 9281 WARN_ON(BTRFS_I(inode)->csum_bytes); 9282 WARN_ON(BTRFS_I(inode)->defrag_bytes); (…) Several fstests test cases triggered this often, such as generic/083, generic/102, generic/172, generic/269 and generic/300 at least, producing stack traces like the following in dmesg/syslog: [82039.079546] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9276 btrfs_destroy_inode+0x203/0x270 [btrfs] (…) [82039.081543] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 [82039.081912] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 [82039.082673] RIP: 0010:btrfs_destroy_inode+0x203/0x270 [btrfs] (…) [82039.083913] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010206 [82039.084320] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002 [82039.084736] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8dde29b34660 [82039.085156] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 [82039.085578] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0 [82039.086000] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000 [82039.086416] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000 [82039.086837] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [82039.087253] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0 [82039.087672] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [82039.088089] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [82039.088504] Call Trace: [82039.088918] destroy_inode+0x3b/0x70 [82039.089340] btrfs_free_fs_root+0x16/0xa0 [btrfs] [82039.089768] btrfs_free_fs_roots+0xd8/0x160 [btrfs] [82039.090183] ? wait_for_completion+0x65/0x1a0 [82039.090607] close_ctree+0x172/0x370 [btrfs] [82039.091021] generic_shutdown_super+0x6c/0x110 [82039.091427] kill_anon_super+0xe/0x30 [82039.091832] btrfs_kill_super+0x12/0xa0 [btrfs] [82039.092233] deactivate_locked_super+0x3a/0x70 [82039.092636] cleanup_mnt+0x3b/0x80 [82039.093039] task_work_run+0x93/0xc0 [82039.093457] exit_to_usermode_loop+0xfa/0x100 [82039.093856] do_syscall_64+0x162/0x1d0 [82039.094244] entry_SYSCALL_64_after_hwframe+0x49/0xbe [82039.094634] RIP: 0033:0x7f8db8fbab37 (…) [82039.095876] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [82039.096290] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 [82039.096700] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 [82039.097110] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 [82039.097522] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 [82039.097937] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 [82039.098350] irq event stamp: 0 [82039.098750] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [82039.099150] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.099545] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.099925] softirqs last disabled at (0): [<0000000000000000>] 0x0 [82039.100292] —[ end trace f2521afa616ddccc ]— [82039.100707] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9277 btrfs_destroy_inode+0x1ac/0x270 [btrfs] (…) [82039.103050] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 [82039.103428] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 [82039.104203] RIP: 0010:btrfs_destroy_inode+0x1ac/0x270 [btrfs] (…) [82039.105461] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010206 [82039.105866] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002 [82039.106270] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8dde29b34660 [82039.106673] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 [82039.107078] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0 [82039.107487] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000 [82039.107894] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000 [82039.108309] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [82039.108723] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0 [82039.109146] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [82039.109567] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [82039.109989] Call Trace: [82039.110405] destroy_inode+0x3b/0x70 [82039.110830] btrfs_free_fs_root+0x16/0xa0 [btrfs] [82039.111257] btrfs_free_fs_roots+0xd8/0x160 [btrfs] [82039.111675] ? wait_for_completion+0x65/0x1a0 [82039.112101] close_ctree+0x172/0x370 [btrfs] [82039.112519] generic_shutdown_super+0x6c/0x110 [82039.112988] kill_anon_super+0xe/0x30 [82039.113439] btrfs_kill_super+0x12/0xa0 [btrfs] [82039.113861] deactivate_locked_super+0x3a/0x70 [82039.114278] cleanup_mnt+0x3b/0x80 [82039.114685] task_work_run+0x93/0xc0 [82039.115083] exit_to_usermode_loop+0xfa/0x100 [82039.115476] do_syscall_64+0x162/0x1d0 [82039.115863] entry_SYSCALL_64_after_hwframe+0x49/0xbe [82039.116254] RIP: 0033:0x7f8db8fbab37 (…) [82039.117463] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [82039.117882] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 [82039.118330] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 [82039.118743] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 [82039.119159] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 [82039.119574] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 [82039.119987] irq event stamp: 0 [82039.120387] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [82039.120787] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.121182] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.121563] softirqs last disabled at (0): [<0000000000000000>] 0x0 [82039.121933] —[ end trace f2521afa616ddccd ]— [82039.122353] WARNING: CPU: 2 PID: 13167 at fs/btrfs/inode.c:9278 btrfs_destroy_inode+0x1bc/0x270 [btrfs] (…) [82039.124606] CPU: 2 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 [82039.125008] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 [82039.125801] RIP: 0010:btrfs_destroy_inode+0x1bc/0x270 [btrfs] (…) [82039.126998] RSP: 0018:ffffac0b426a7d30 EFLAGS: 00010202 [82039.127399] RAX: ffff8ddf77691158 RBX: ffff8dde29b34660 RCX: 0000000000000002 [82039.127803] RDX: 0000000000000001 RSI: 0000000000000001 RDI: ffff8dde29b34660 [82039.128206] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 [82039.128611] R10: ffffac0b426a7c90 R11: ffffffffb9aad768 R12: ffffac0b426a7db0 [82039.129020] R13: ffff8ddf5fbec0a0 R14: dead000000000100 R15: 0000000000000000 [82039.129428] FS: 00007f8db96d12c0(0000) GS:ffff8de036b00000(0000) knlGS:0000000000000000 [82039.129846] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [82039.130261] CR2: 0000000001416108 CR3: 00000002315cc001 CR4: 00000000003606e0 [82039.130684] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [82039.131142] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [82039.131561] Call Trace: [82039.131990] destroy_inode+0x3b/0x70 [82039.132417] btrfs_free_fs_root+0x16/0xa0 [btrfs] [82039.132844] btrfs_free_fs_roots+0xd8/0x160 [btrfs] [82039.133262] ? wait_for_completion+0x65/0x1a0 [82039.133688] close_ctree+0x172/0x370 [btrfs] [82039.134157] generic_shutdown_super+0x6c/0x110 [82039.134575] kill_anon_super+0xe/0x30 [82039.134997] btrfs_kill_super+0x12/0xa0 [btrfs] [82039.135415] deactivate_locked_super+0x3a/0x70 [82039.135832] cleanup_mnt+0x3b/0x80 [82039.136239] task_work_run+0x93/0xc0 [82039.136637] exit_to_usermode_loop+0xfa/0x100 [82039.137029] do_syscall_64+0x162/0x1d0 [82039.137418] entry_SYSCALL_64_after_hwframe+0x49/0xbe [82039.137812] RIP: 0033:0x7f8db8fbab37 (…) [82039.139059] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [82039.139475] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 [82039.139890] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 [82039.140302] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 [82039.140719] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 [82039.141138] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 [82039.141597] irq event stamp: 0 [82039.142043] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [82039.142443] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.142839] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.143220] softirqs last disabled at (0): [<0000000000000000>] 0x0 [82039.143588] —[ end trace f2521afa616ddcce ]— [82039.167472] WARNING: CPU: 3 PID: 13167 at fs/btrfs/extent-tree.c:10120 btrfs_free_block_groups+0x30d/0x460 [btrfs] (…) [82039.173800] CPU: 3 PID: 13167 Comm: umount Tainted: G W 5.2.0-rc4-btrfs-next-50 #1 [82039.174847] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.2-0-gf9626ccb91-prebuilt.qemu-project.org 04/01/2014 [82039.177031] RIP: 0010:btrfs_free_block_groups+0x30d/0x460 [btrfs] (…) [82039.180397] RSP: 0018:ffffac0b426a7dd8 EFLAGS: 00010206 [82039.181574] RAX: ffff8de010a1db40 RBX: ffff8de010a1db40 RCX: 0000000000170014 [82039.182711] RDX: ffff8ddff4380040 RSI: ffff8de010a1da58 RDI: 0000000000000246 [82039.183817] RBP: ffff8ddf5fbec000 R08: 0000000000000000 R09: 0000000000000000 [82039.184925] R10: ffff8de036404380 R11: ffffffffb8a5ea00 R12: ffff8de010a1b2b8 [82039.186090] R13: ffff8de010a1b2b8 R14: 0000000000000000 R15: dead000000000100 [82039.187208] FS: 00007f8db96d12c0(0000) GS:ffff8de036b80000(0000) knlGS:0000000000000000 [82039.188345] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [82039.189481] CR2: 00007fb044005170 CR3: 00000002315cc006 CR4: 00000000003606e0 [82039.190674] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [82039.191829] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [82039.192978] Call Trace: [82039.194160] close_ctree+0x19a/0x370 [btrfs] [82039.195315] generic_shutdown_super+0x6c/0x110 [82039.196486] kill_anon_super+0xe/0x30 [82039.197645] btrfs_kill_super+0x12/0xa0 [btrfs] [82039.198696] deactivate_locked_super+0x3a/0x70 [82039.199619] cleanup_mnt+0x3b/0x80 [82039.200559] task_work_run+0x93/0xc0 [82039.201505] exit_to_usermode_loop+0xfa/0x100 [82039.202436] do_syscall_64+0x162/0x1d0 [82039.203339] entry_SYSCALL_64_after_hwframe+0x49/0xbe [82039.204091] RIP: 0033:0x7f8db8fbab37 (…) [82039.206360] RSP: 002b:00007ffdce35b468 EFLAGS: 00000246 ORIG_RAX: 00000000000000a6 [82039.207132] RAX: 0000000000000000 RBX: 0000560d20b00060 RCX: 00007f8db8fbab37 [82039.207906] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000560d20b00240 [82039.208621] RBP: 0000560d20b00240 R08: 0000560d20b00270 R09: 0000000000000015 [82039.209285] R10: 00000000000006b4 R11: 0000000000000246 R12: 00007f8db94bce64 [82039.209984] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffdce35b6f0 [82039.210642] irq event stamp: 0 [82039.211306] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [82039.211971] hardirqs last disabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.212643] softirqs last enabled at (0): [] copy_process.part.33+0x7f2/0x1f00 [82039.213304] softirqs last disabled at (0): [<0000000000000000>] 0x0 [82039.213875] —[ end trace f2521afa616ddccf ]— Fix this by releasing the reserved metadata on failure to allocate data extent(s) for the inode cache. Fixes: 69fe2d75dd91d0 (“btrfs: make the delalloc block rsv per inode”) Signed-off-by: Filipe Manana Signed-off-by: David Sterba Signed-off-by: Sasha Levin commit 36d22a8798d36bc8ae407a1af52d05f84bdb67d8 Author: Mikulas Patocka Date: Wed Oct 2 06:15:53 2019 -0400 dm snapshot: rework COW throttling to fix deadlock [ Upstream commit b21555786f18cd77f2311ad89074533109ae3ffa ] Commit 721b1d98fb517a (“dm snapshot: Fix excessive memory usage and workqueue stalls”) introduced a semaphore to limit the maximum number of in-flight kcopyd (COW) jobs. The implementation of this throttling mechanism is prone to a deadlock: 1. One or more threads write to the origin device causing COW, which is performed by kcopyd. 2. At some point some of these threads might reach the s->cow_count semaphore limit and block in down(&s->cow_count), holding a read lock on _origins_lock. 3. Someone tries to acquire a write lock on _origins_lock, e.g., snapshot_ctr(), which blocks because the threads at step (2) already hold a read lock on it. 4. A COW operation completes and kcopyd runs dm-snapshot’s completion callback, which ends up calling pending_complete(). pending_complete() tries to resubmit any deferred origin bios. This requires acquiring a read lock on _origins_lock, which blocks. This happens because the read-write semaphore implementation gives priority to writers, meaning that as soon as a writer tries to enter the critical section, no readers will be allowed in, until all writers have completed their work. So, pending_complete() waits for the writer at step (3) to acquire and release the lock. This writer waits for the readers at step (2) to release the read lock and those readers wait for pending_complete() (the kcopyd thread) to signal the s->cow_count semaphore: DEADLOCK. The above was thoroughly analyzed and documented by Nikos Tsironis as part of his initial proposal for fixing this deadlock, see: https://www.redhat.com/archives/dm-devel/2019-October/msg00001.html Fix this deadlock by reworking COW throttling so that it waits without holding any locks. Add a variable ‘in_progress’ that counts how many kcopyd jobs are running. A function wait_for_in_progress() will sleep if ‘in_progress’ is over the limit. It drops _origins_lock in order to avoid the deadlock. Reported-by: Guruswamy Basavaiah Reported-by: Nikos Tsironis Reviewed-by: Nikos Tsironis Tested-by: Nikos Tsironis Fixes: 721b1d98fb51 (“dm snapshot: Fix excessive memory usage and workqueue stalls”) Cc: [email protected] # v5.0+ Depends-on: 4a3f111a73a8c ("dm snapshot: introduce account_start_copy() and account_end_copy()") Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 61e71217f9c5d789257eee86e6077f1eb8a75912 Author: Mikulas Patocka Date: Wed Oct 2 06:14:17 2019 -0400 dm snapshot: introduce account_start_copy() and account_end_copy() [ Upstream commit a2f83e8b0c82c9500421a26c49eb198b25fcdea3 ] This simple refactoring moves code for modifying the semaphore cow_count into separate functions to prepare for changes that will extend these methods to provide for a more sophisticated mechanism for COW throttling. Signed-off-by: Mikulas Patocka Reviewed-by: Nikos Tsironis Signed-off-by: Mike Snitzer Signed-off-by: Sasha Levin commit 9e46fe9737b68f163fa74d6f0f1cf1e6e6e069c1 Author: Jens Axboe Date: Thu Oct 17 09:20:46 2019 -0600 io_uring: fix up O_NONBLOCK handling for sockets [ Upstream commit 491381ce07ca57f68c49c79a8a43da5b60749e32 ] We’ve got two issues with the non-regular file handling for non-blocking IO: 1) We don’t want to re-do a short read in full for a non-regular file, as we can’t just read the data again. 2) For non-regular files that don’t support non-blocking IO attempts, we need to punt to async context even if the file is opened as non-blocking. Otherwise the caller always gets -EAGAIN. Add two new request flags to handle these cases. One is just a cache of the inode S_ISREG() status, the other tells io_uring that we always need to punt this request to async context, even if REQ_F_NOWAIT is set. Cc: [email protected] Reported-by: Hrvoje Zeba Tested-by: Hrvoje Zeba Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin

Related news

CVE-2022-34456: DSA-2022-267: Dell EMC Metronode VS5 Security Update for Multiple Third-Party Component Vulnerabilities

Dell EMC Metro node, Version(s) prior to 7.1, contain a Code Injection Vulnerability. An authenticated nonprivileged attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application.

CVE-2020-0137: Pixel Update Bulletin—June 2020  |  Android Open Source Project

In setIPv6AddrGenMode of NetworkManagementService.java, there is a possible bypass of networking permissions due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android-10Android ID: A-141920289

CVE-2019-15098: [PATCH 1/2] Fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe

drivers/net/wireless/ath/ath6kl/usb.c in the Linux kernel through 5.2.9 has a NULL pointer dereference via an incomplete address in an endpoint descriptor.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907