1. 10 1月, 2019 40 次提交
    • M
      arm/arm64: KVM: vgic: Force VM halt when changing the active state of GICv3 PPIs/SGIs · 0fa68518
      Marc Zyngier 提交于
      commit 107352a24900fb458152b92a4e72fbdc83fd5510 upstream.
      
      We currently only halt the guest when a vCPU messes with the active
      state of an SPI. This is perfectly fine for GICv2, but isn't enough
      for GICv3, where all vCPUs can access the state of any other vCPU.
      
      Let's broaden the condition to include any GICv3 interrupt that
      has an active state (i.e. all but LPIs).
      
      Cc: stable@vger.kernel.org
      Reviewed-by: NChristoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fa68518
    • W
      arm64: KVM: Avoid setting the upper 32 bits of VTCR_EL2 to 1 · 7ec9ea67
      Will Deacon 提交于
      commit df655b75c43fba0f2621680ab261083297fd6d16 upstream.
      
      Although bit 31 of VTCR_EL2 is RES1, we inadvertently end up setting all
      of the upper 32 bits to 1 as well because we define VTCR_EL2_RES1 as
      signed, which is sign-extended when assigning to kvm->arch.vtcr.
      
      Lucky for us, the architecture currently treats these upper bits as RES0
      so, whilst we've been naughty, we haven't set fire to anything yet.
      
      Cc: <stable@vger.kernel.org>
      Cc: Marc Zyngier <marc.zyngier@arm.com>
      Cc: Christoffer Dall <christoffer.dall@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NMarc Zyngier <marc.zyngier@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ec9ea67
    • P
      smb3: fix large reads on encrypted connections · ba77e8c7
      Paul Aurich 提交于
      commit 6d2f84eee098540ae857998fe32f29b9e2cd9613 upstream.
      
      When passing a large read to receive_encrypted_read(), ensure that the
      demultiplex_thread knows that a MID was processed.  Without this, those
      operations never complete.
      
      This is a similar issue/fix to lease break handling:
      commit 7af929d6
      ("smb3: fix lease break problem introduced by compounding")
      
      CC: Stable <stable@vger.kernel.org> # 4.19+
      Fixes: b24df3e3 ("cifs: update receive_encrypted_standard to handle compounded responses")
      Signed-off-by: NPaul Aurich <paul@darkrain42.org>
      Tested-by: NYves-Alexis Perez <corsac@corsac.net>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Reviewed-by: NRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ba77e8c7
    • G
      CIFS: Fix error mapping for SMB2_LOCK command which caused OFD lock problem · 1827d1c4
      Georgy A Bystrenin 提交于
      commit 9a596f5b39593414c0ec80f71b94a226286f084e upstream.
      
      While resolving a bug with locks on samba shares found a strange behavior.
      When a file locked by one node and we trying to lock it from another node
      it fail with errno 5 (EIO) but in that case errno must be set to
      (EACCES | EAGAIN).
      This isn't happening when we try to lock file second time on same node.
      In this case it returns EACCES as expected.
      Also this issue not reproduces when we use SMB1 protocol (vers=1.0 in
      mount options).
      
      Further investigation showed that the mapping from status_to_posix_error
      is different for SMB1 and SMB2+ implementations.
      For SMB1 mapping is [NT_STATUS_LOCK_NOT_GRANTED to ERRlock]
      (See fs/cifs/netmisc.c line 66)
      but for SMB2+ mapping is [STATUS_LOCK_NOT_GRANTED to -EIO]
      (see fs/cifs/smb2maperror.c line 383)
      
      Quick changes in SMB2+ mapping from EIO to EACCES has fixed issue.
      
      BUG: https://bugzilla.kernel.org/show_bug.cgi?id=201971Signed-off-by: NGeorgy A Bystrenin <gkot@altlinux.org>
      Reviewed-by: NPavel Shilovsky <pshilov@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1827d1c4
    • H
      MIPS: Fix a R10000_LLSC_WAR logic in atomic.h · db825a79
      Huacai Chen 提交于
      commit db1ce3f5d01d2d6d5714aefba0159d2cb5167a0b upstream.
      
      Commit 4936084c ("MIPS: Cleanup R10000_LLSC_WAR logic in atomic.h")
      introduce a mistake in atomic64_fetch_##op##_relaxed(), because it
      forget to delete R10000_LLSC_WAR in the if-condition. So fix it.
      
      Fixes: 4936084c ("MIPS: Cleanup R10000_LLSC_WAR logic in atomic.h")
      Signed-off-by: NHuacai Chen <chenhc@lemote.com>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: Joshua Kinard <kumba@gentoo.org>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: Steven J . Hill <Steven.Hill@cavium.com>
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: linux-mips@linux-mips.org
      Cc: stable@vger.kernel.org # 4.19+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      db825a79
    • A
      MIPS: OCTEON: mark RGMII interface disabled on OCTEON III · 34c512d8
      Aaro Koskinen 提交于
      commit edefae94b7b9f10d5efe32dece5a36e9d9ecc29e upstream.
      
      Commit 885872b7 ("MIPS: Octeon: Add Octeon III CN7xxx
      interface detection") added RGMII interface detection for OCTEON III,
      but it results in the following logs:
      
      [    7.165984] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
      [    7.173017] ERROR: Unsupported Octeon model in __cvmx_helper_rgmii_probe
      
      The current RGMII routines are valid only for older OCTEONS that
      use GMX/ASX hardware blocks. On later chips AGL should be used,
      but support for that is missing in the mainline. Until that is added,
      mark the interface as disabled.
      
      Fixes: 885872b7 ("MIPS: Octeon: Add Octeon III CN7xxx interface detection")
      Signed-off-by: NAaro Koskinen <aaro.koskinen@iki.fi>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@vger.kernel.org
      Cc: stable@vger.kernel.org # 4.7+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      34c512d8
    • P
      MIPS: Expand MIPS32 ASIDs to 64 bits · fb38b12e
      Paul Burton 提交于
      commit ff4dd232ec45a0e45ea69f28f069f2ab22b4908a upstream.
      
      ASIDs have always been stored as unsigned longs, ie. 32 bits on MIPS32
      kernels. This is problematic because it is feasible for the ASID version
      to overflow & wrap around to zero.
      
      We currently attempt to handle this overflow by simply setting the ASID
      version to 1, using asid_first_version(), but we make no attempt to
      account for the fact that there may be mm_structs with stale ASIDs that
      have versions which we now reuse due to the overflow & wrap around.
      
      Encountering this requires that:
      
        1) A struct mm_struct X is active on CPU A using ASID (V,n).
      
        2) That mm is not used on CPU A for the length of time that it takes
           for CPU A's asid_cache to overflow & wrap around to the same
           version V that the mm had in step 1. During this time tasks using
           the mm could either be sleeping or only scheduled on other CPUs.
      
        3) Some other mm Y becomes active on CPU A and is allocated the same
           ASID (V,n).
      
        4) mm X now becomes active on CPU A again, and now incorrectly has the
           same ASID as mm Y.
      
      Where struct mm_struct ASIDs are represented above in the format
      (version, EntryHi.ASID), and on a typical MIPS32 system version will be
      24 bits wide & EntryHi.ASID will be 8 bits wide.
      
      The length of time required in step 2 is highly dependent upon the CPU &
      workload, but for a hypothetical 2GHz CPU running a workload which
      generates a new ASID every 10000 cycles this period is around 248 days.
      Due to this long period of time & the fact that tasks need to be
      scheduled in just the right (or wrong, depending upon your inclination)
      way, this is obviously a difficult bug to encounter but it's entirely
      possible as evidenced by reports.
      
      In order to fix this, simply extend ASIDs to 64 bits even on MIPS32
      builds. This will extend the period of time required for the
      hypothetical system above to encounter the problem from 28 days to
      around 3 trillion years, which feels safely outside of the realms of
      possibility.
      
      The cost of this is slightly more generated code in some commonly
      executed paths, but this is pretty minimal:
      
                               | Code Size Gain | Percentage
        -----------------------|----------------|-------------
          decstation_defconfig |           +270 | +0.00%
              32r2el_defconfig |           +652 | +0.01%
              32r6el_defconfig |          +1000 | +0.01%
      
      I have been unable to measure any change in performance of the LMbench
      lat_ctx or lat_proc tests resulting from the 64b ASIDs on either
      32r2el_defconfig+interAptiv or 32r6el_defconfig+I6500 systems.
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Suggested-by: NJames Hogan <jhogan@kernel.org>
      References: https://lore.kernel.org/linux-mips/80B78A8B8FEE6145A87579E8435D78C30205D5F3@fzex.ruijie.com.cn/
      References: https://lore.kernel.org/linux-mips/1488684260-18867-1-git-send-email-jiwei.sun@windriver.com/
      Cc: Jiwei Sun <jiwei.sun@windriver.com>
      Cc: Yu Huabing <yhb@ruijie.com.cn>
      Cc: stable@vger.kernel.org # 2.6.12+
      Cc: linux-mips@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fb38b12e
    • H
      MIPS: Align kernel load address to 64KB · 88c61f5c
      Huacai Chen 提交于
      commit bec0de4cfad21bd284dbddee016ed1767a5d2823 upstream.
      
      KEXEC needs the new kernel's load address to be aligned on a page
      boundary (see sanity_check_segment_list()), but on MIPS the default
      vmlinuz load address is only explicitly aligned to 16 bytes.
      
      Since the largest PAGE_SIZE supported by MIPS kernels is 64KB, increase
      the alignment calculated by calc_vmlinuz_load_addr to 64KB.
      Signed-off-by: NHuacai Chen <chenhc@lemote.com>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/21131/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <james.hogan@mips.com>
      Cc: Steven J . Hill <Steven.Hill@cavium.com>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: <stable@vger.kernel.org> # 2.6.36+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88c61f5c
    • H
      MIPS: Ensure pmd_present() returns false after pmd_mknotpresent() · 76a9f7b4
      Huacai Chen 提交于
      commit 92aa0718c9fa5160ad2f0e7b5bffb52f1ea1e51a upstream.
      
      This patch is borrowed from ARM64 to ensure pmd_present() returns false
      after pmd_mknotpresent(). This is needed for THP.
      
      References: 5bb1cc0f ("arm64: Ensure pmd_present() returns false after pmd_mknotpresent()")
      Reviewed-by: NJames Hogan <jhogan@kernel.org>
      Signed-off-by: NHuacai Chen <chenhc@lemote.com>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/21135/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <james.hogan@mips.com>
      Cc: Steven J . Hill <Steven.Hill@cavium.com>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: <stable@vger.kernel.org> # 3.8+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      76a9f7b4
    • H
      MIPS: c-r4k: Add r4k_blast_scache_node for Loongson-3 · e8ae2ae2
      Huacai Chen 提交于
      commit bb53fdf395eed103f85061bfff3b116cee123895 upstream.
      
      For multi-node Loongson-3 (NUMA configuration), r4k_blast_scache() can
      only flush Node-0's scache. So we add r4k_blast_scache_node() by using
      (CAC_BASE | (node_id << NODE_ADDRSPACE_SHIFT)) instead of CKSEG0 as the
      start address.
      Signed-off-by: NHuacai Chen <chenhc@lemote.com>
      [paul.burton@mips.com: Include asm/mmzone.h from asm/r4kcache.h for
      		       nid_to_addrbase(). Add asm/mach-generic/mmzone.h
      		       to allow inclusion for all platforms.]
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Patchwork: https://patchwork.linux-mips.org/patch/21129/
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <james.hogan@mips.com>
      Cc: Steven J . Hill <Steven.Hill@cavium.com>
      Cc: linux-mips@linux-mips.org
      Cc: Fuxin Zhang <zhangfx@lemote.com>
      Cc: Zhangjin Wu <wuzhangjin@gmail.com>
      Cc: <stable@vger.kernel.org> # 3.15+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8ae2ae2
    • P
      MIPS: math-emu: Write-protect delay slot emulation pages · 62452b35
      Paul Burton 提交于
      commit adcc81f148d733b7e8e641300c5590a2cdc13bf3 upstream.
      
      Mapping the delay slot emulation page as both writeable & executable
      presents a security risk, in that if an exploit can write to & jump into
      the page then it can be used as an easy way to execute arbitrary code.
      
      Prevent this by mapping the page read-only for userland, and using
      access_process_vm() with the FOLL_FORCE flag to write to it from
      mips_dsemul().
      
      This will likely be less efficient due to copy_to_user_page() performing
      cache maintenance on a whole page, rather than a single line as in the
      previous use of flush_cache_sigtramp(). However this delay slot
      emulation code ought not to be running in any performance critical paths
      anyway so this isn't really a problem, and we can probably do better in
      copy_to_user_page() anyway in future.
      
      A major advantage of this approach is that the fix is small & simple to
      backport to stable kernels.
      Reported-by: NAndy Lutomirski <luto@kernel.org>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Fixes: 432c6bac ("MIPS: Use per-mm page to execute branch delay slot instructions")
      Cc: stable@vger.kernel.org # v4.8+
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: Rich Felker <dalias@libc.org>
      Cc: David Daney <david.daney@cavium.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      62452b35
    • S
      tools lib traceevent: Fix processing of dereferenced args in bprintk events · d642e0b6
      Steven Rostedt (VMware) 提交于
      commit f024cf085c423bac7512479f45c34ee9a24af7ce upstream.
      
      In the case that a bprintk event has a dereferenced pointer that is
      stored as a string, and there's more values to process (more args), the
      arg was not updated to point to the next arg after processing the
      dereferenced pointer, and it screwed up what was to be displayed.
      Signed-off-by: NSteven Rostedt (VMware) <rostedt@goodmis.org>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: linux-trace-devel@vger.kernel.org
      Cc: stable@vger.kernel.org
      Fixes: 37db96bb ("tools lib traceevent: Handle new pointer processing of bprint strings")
      Link: http://lkml.kernel.org/r/20181210134522.3f71e2ca@gandalf.local.homeSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d642e0b6
    • H
      media: v4l2-tpg: array index could become negative · 47af3cec
      Hans Verkuil 提交于
      commit e5f71a27fa12c1a1b02ad478a568e76260f1815e upstream.
      
      text[s] is a signed char, so using that as index into the font8x16 array
      can result in negative indices. Cast it to u8 to be safe.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+ccf0a61ed12f2a7313ee@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>      # for v4.7 and up
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47af3cec
    • H
      media: vb2: check memory model for VIDIOC_CREATE_BUFS · 245fc1c7
      Hans Verkuil 提交于
      commit 62dcb4f41836bd3c44b5b651bb6df07ea4cb1551 upstream.
      
      vb2_core_create_bufs did not check if the memory model for newly added
      buffers is the same as for already existing buffers. It should return an
      error if they aren't the same.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+e1fb118a2ebb88031d21@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>      # for v4.16 and up
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      245fc1c7
    • H
      media: vivid: free bitmap_cap when updating std/timings/etc. · 845c7f6c
      Hans Verkuil 提交于
      commit 560ccb75c2caa6b1039dec1a53cd2ef526f5bf03 upstream.
      
      When vivid_update_format_cap() is called it should free any overlay
      bitmap since the compose size will change.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+0cc8e3cc63ca373722c6@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>      # for v3.18 and up
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      845c7f6c
    • L
      media: imx274: fix stack corruption in imx274_read_reg · 257ad26e
      Luca Ceresoli 提交于
      commit cea8c0077d6cf3a0cea2f18a8e914af78d46b2ff upstream.
      
      imx274_read_reg() takes a u8 pointer ("reg") and casts it to pass it
      to regmap_read(), which takes an unsigned int pointer. This results in
      a corrupted stack and random crashes.
      
      Fixes: 0985dd30 ("media: imx274: V4l2 driver for Sony imx274 CMOS sensor")
      
      Cc: stable@vger.kernel.org # for 4.15 and up
      Signed-off-by: NLuca Ceresoli <luca@lucaceresoli.net>
      Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      257ad26e
    • S
      media: rc: cec devices do not have a lirc chardev · 7ce31f63
      Sean Young 提交于
      commit e5bb9d3d755f128956ed467ae50b41d22bb680c6 upstream.
      
      This fixes an oops in ir_lirc_scancode_event().
      
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000038
      PGD 0 P4D 0
      Oops: 0000 [#1] SMP PTI
      CPU: 9 PID: 27687 Comm: kworker/9:2 Tainted: P           OE 4.18.12-200.fc28.x86_64 #1
      Hardware name: Supermicro C7X99-OCE-F/C7X99-OCE-F, BIOS 2.1a 06/15/2018
      Workqueue: events pulse8_irq_work_handler [pulse8_cec]
      RIP: 0010:ir_lirc_scancode_event+0x3d/0xb0 [rc_core]
      Code: 8d ae b4 07 00 00 49 81 c6 b8 07 00 00 53 e8 4a df c3 d5 48 89 ef 49 89 45 00 e8 4e 84 41 d6 49 8b 1e 49 89 c4 4c 39 f3 74 58 <8b> 43 38 8b 53 40 89 c1 2b 4b 3c 39 ca 72 41 21 d0 49 8b 7d 00 49
      RSP: 0018:ffffaa10e3c07d58 EFLAGS: 00010017
      RAX: 0000000000000002 RBX: 0000000000000000 RCX: 0000000000000018
      RDX: 0000000000000001 RSI: 00316245397fa93c RDI: ffff966d31c8d7b4
      RBP: ffff966d31c8d7b4 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000003 R11: ffffaa10e3c07e28 R12: 0000000000000002
      R13: ffffaa10e3c07d88 R14: ffff966d31c8d7b8 R15: 0000000000000073
      FS:  0000000000000000(0000) GS:ffff966d3f440000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000000038 CR3: 00000009d820a003 CR4: 00000000003606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       ir_do_keydown+0x75/0x260 [rc_core]
       rc_keydown+0x54/0xc0 [rc_core]
       cec_received_msg_ts+0xaa8/0xaf0 [cec]
       process_one_work+0x1a1/0x350
       worker_thread+0x30/0x380
       ? pwq_unbound_release_workfn+0xd0/0xd0
       kthread+0x112/0x130
       ? kthread_create_worker_on_cpu+0x70/0x70
       ret_from_fork+0x35/0x40
      Modules linked in: rc_tt_1500 dvb_usb_dvbsky dvb_usb_v2 uas usb_storage fuse vhost_net vhost tap xt_CHECKSUM iptable_mangle ip6t_REJECT nf_reject_ipv6 tun 8021q garp mrp xt_nat macvlan xfs devlink ebta
       si2157 si2168 cx25840 cx23885 kvm altera_ci tda18271 joydev ir_rc6_decoder rc_rc6_mce crct10dif_pclmul crc32_pclmul ghash_clmulni_intel intel_cstate intel_uncore altera_stapl m88ds3103 tveeprom cx2341
       mxm_wmi igb crc32c_intel megaraid_sas dca i2c_algo_bit wmi vfio_pci irqbypass vfio_virqfd vfio_iommu_type1 vfio i2c_dev
      CR2: 0000000000000038
      
      Cc: <stable@vger.kernel.org> # v4.16+
      Signed-off-by: NSean Young <sean@mess.org>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ce31f63
    • H
      media: cec-pin: fix broken tx_ignore_nack_until_eom error injection · 2f8cff22
      Hans Verkuil 提交于
      commit ac791f19a273a7fe254a7596f193af6534582a9f upstream.
      
      If the tx_ignore_nack_until_eom error injection was activated,
      then tx_nacked was never set instead of setting it when the last
      byte of the message was transmitted.
      
      As a result the transmit was marked as OK, when it should have
      been NACKed.
      
      Modify the condition so that it always sets tx_nacked when the
      last byte of the message was transmitted.
      Signed-off-by: NHans Verkuil <hans.verkuil@cisco.com>
      Cc: <stable@vger.kernel.org>      # for v4.17 and up
      Signed-off-by: NHans Verkuil <hansverk@cisco.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f8cff22
    • H
      media: cec: keep track of outstanding transmits · 46515303
      Hans Verkuil 提交于
      commit 32804fcb612bf867034a093f459415e485cf044b upstream.
      
      I noticed that repeatedly running 'cec-ctl --playback' would occasionally
      select 'Playback Device 2' instead of 'Playback Device 1', even though there
      were no other Playback devices in the HDMI topology. This happened both with
      'real' hardware and with the vivid CEC emulation, suggesting that this was an
      issue in the core code that claims a logical address.
      
      What 'cec-ctl --playback' does is to first clear all existing logical addresses,
      and immediately after that configure the new desired device type.
      
      The core code will poll the logical addresses trying to find a free address.
      When found it will issue a few standard messages as per the CEC spec and return.
      Those messages are queued up and will be transmitted asynchronously.
      
      What happens is that if you run two 'cec-ctl --playback' commands in quick
      succession, there is still a message of the first cec-ctl command being transmitted
      when you reconfigure the adapter again in the second cec-ctl command.
      
      When the logical addresses are cleared, then all information about outstanding
      transmits inside the CEC core is also cleared, and the core is no longer aware
      that there is still a transmit in flight.
      
      When the hardware finishes the transmit it calls transmit_done and the CEC core
      thinks it is actually in response of a POLL messages that is trying to find a
      free logical address. The result of all this is that the core thinks that the
      logical address for Playback Device 1 is in use, when it is really an earlier
      transmit that ended.
      
      The main transmit thread looks at adap->transmitting to check if a transmit
      is in progress, but that is set to NULL when the adapter is unconfigured.
      adap->transmitting represents the view of userspace, not that of the hardware.
      So when unconfiguring the adapter the message is marked aborted from the point
      of view of userspace, but seen from the PoV of the hardware it is still ongoing.
      
      So introduce a new bool transmit_in_progress that represents the hardware state
      and use that instead of adap->transmitting. Now the CEC core waits until the
      hardware finishes the transmit before starting a new transmit.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Cc: <stable@vger.kernel.org>      # for v4.18 and up
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      46515303
    • N
      serial: uartps: Fix interrupt mask issue to handle the RX interrupts properly · e534754f
      Nava kishore Manne 提交于
      commit 260683137ab5276113fc322fdbbc578024185fee upstream.
      
      This patch Correct the RX interrupt mask value to handle the
      RX interrupts properly.
      
      Fixes: c8dbdc84 ("serial: xuartps: Rewrite the interrupt handling logic")
      Signed-off-by: NNava kishore Manne <nava.manne@xilinx.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NMichal Simek <michal.simek@xilinx.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e534754f
    • J
      f2fs: sanity check of xattr entry size · 5036fcd9
      Jaegeuk Kim 提交于
      commit 64beba0558fce7b59e9a8a7afd77290e82a22163 upstream.
      
      There is a security report where f2fs_getxattr() has a hole to expose wrong
      memory region when the image is malformed like this.
      
      f2fs_getxattr: entry->e_name_len: 4, size: 12288, buffer_size: 16384, len: 4
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5036fcd9
    • M
      f2fs: fix validation of the block count in sanity_check_raw_super · 58d7ab71
      Martin Blumenstingl 提交于
      commit 88960068f25fcc3759455d85460234dcc9d43fef upstream.
      
      Treat "block_count" from struct f2fs_super_block as 64-bit little endian
      value in sanity_check_raw_super() because struct f2fs_super_block
      declares "block_count" as "__le64".
      
      This fixes a bug where the superblock validation fails on big endian
      devices with the following error:
        F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
        F2FS-fs (sda1): Can't find valid F2FS filesystem in 1th superblock
        F2FS-fs (sda1): Wrong segment_count / block_count (61439 > 0)
        F2FS-fs (sda1): Can't find valid F2FS filesystem in 2th superblock
      As result of this the partition cannot be mounted.
      
      With this patch applied the superblock validation works fine and the
      partition can be mounted again:
        F2FS-fs (sda1): Mounted with checkpoint version = 7c84
      
      My little endian x86-64 hardware was able to mount the partition without
      this fix.
      To confirm that mounting f2fs filesystems works on big endian machines
      again I tested this on a 32-bit MIPS big endian (lantiq) device.
      
      Fixes: 0cfe75c5 ("f2fs: enhance sanity_check_raw_super() to avoid potential overflows")
      Cc: stable@vger.kernel.org
      Signed-off-by: NMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      58d7ab71
    • P
      f2fs: read page index before freeing · ce5b0057
      Pan Bian 提交于
      commit 0ea295dd853e0879a9a30ab61f923c26be35b902 upstream.
      
      The function truncate_node frees the page with f2fs_put_page. However,
      the page index is read after that. So, the patch reads the index before
      freeing the page.
      
      Fixes: bf39c00a ("f2fs: drop obsolete node page when it is truncated")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NPan Bian <bianpan2016@163.com>
      Reviewed-by: NChao Yu <yuchao0@huawei.com>
      Signed-off-by: NJaegeuk Kim <jaegeuk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ce5b0057
    • D
      dax: Use non-exclusive wait in wait_entry_unlocked() · 9621ea6b
      Dan Williams 提交于
      commit d8a706414af4827fc0b4b1c0c631c607351938b9 upstream.
      
      get_unlocked_entry() uses an exclusive wait because it is guaranteed to
      eventually obtain the lock and follow on with an unlock+wakeup cycle.
      The wait_entry_unlocked() path does not have the same guarantee. Rather
      than open-code an extra wakeup, just switch to a non-exclusive wait.
      
      Cc: Matthew Wilcox <willy@infradead.org>
      Reported-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9621ea6b
    • M
      dax: Don't access a freed inode · c555772c
      Matthew Wilcox 提交于
      commit 55e56f06ed71d9441f3abd5b1d3c1a870812b3fe upstream.
      
      After we drop the i_pages lock, the inode can be freed at any time.
      The get_unlocked_entry() code has no choice but to reacquire the lock,
      so it can't be used here.  Create a new wait_entry_unlocked() which takes
      care not to acquire the lock or dereference the address_space in any way.
      
      Fixes: c2a7d2a1 ("filesystem-dax: Introduce dax_lock_mapping_entry()")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NMatthew Wilcox <willy@infradead.org>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c555772c
    • B
      powerpc/tm: Unset MSR[TS] if not recheckpointing · a9935a12
      Breno Leitao 提交于
      commit 6f5b9f018f4c7686fd944d920209d1382d320e4e upstream.
      
      There is a TM Bad Thing bug that can be caused when you return from a
      signal context in a suspended transaction but with ucontext MSR[TS] unset.
      
      This forces regs->msr[TS] to be set at syscall entrance (since the CPU
      state is transactional). It also calls treclaim() to flush the transaction
      state, which is done based on the live (mfmsr) MSR state.
      
      Since user context MSR[TS] is not set, then restore_tm_sigcontexts() is not
      called, thus, not executing recheckpoint, keeping the CPU state as not
      transactional. When calling rfid, SRR1 will have MSR[TS] set, but the CPU
      state is non transactional, causing the TM Bad Thing with the following
      stack:
      
      	[   33.862316] Bad kernel stack pointer 3fffd9dce3e0 at c00000000000c47c
      	cpu 0x8: Vector: 700 (Program Check) at [c00000003ff7fd40]
      	    pc: c00000000000c47c: fast_exception_return+0xac/0xb4
      	    lr: 00003fff865f442c
      	    sp: 3fffd9dce3e0
      	   msr: 8000000102a03031
      	  current = 0xc00000041f68b700
      	  paca    = 0xc00000000fb84800   softe: 0        irq_happened: 0x01
      	    pid   = 1721, comm = tm-signal-sigre
      	Linux version 4.9.0-3-powerpc64le (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18) ) #1 SMP Debian 4.9.30-2+deb9u2 (2017-06-26)
      	WARNING: exception is not recoverable, can't continue
      
      The same problem happens on 32-bits signal handler, and the fix is very
      similar, if tm_recheckpoint() is not executed, then regs->msr[TS] should be
      zeroed.
      
      This patch also fixes a sparse warning related to lack of indentation when
      CONFIG_PPC_TRANSACTIONAL_MEM is set.
      
      Fixes: 2b0a576d ("powerpc: Add new transactional memory state to the signal context")
      CC: Stable <stable@vger.kernel.org>	# 3.10+
      Signed-off-by: NBreno Leitao <leitao@debian.org>
      Tested-by: NMichal Suchánek <msuchanek@suse.de>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a9935a12
    • L
      brcmfmac: Fix out of bounds memory access during fw load · 71cda0af
      Lyude Paul 提交于
      commit b72c51a58e6d63ef673ac96b8ab5bc98799c5f7b upstream.
      
      I ended up tracking down some rather nasty issues with f2fs (and other
      filesystem modules) constantly crashing on my kernel down to a
      combination of out of bounds memory accesses, one of which was coming
      from brcmfmac during module load:
      
      [   30.891382] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac4356-sdio for chip BCM4356/2
      [   30.894437] ==================================================================
      [   30.901581] BUG: KASAN: global-out-of-bounds in brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
      [   30.909935] Read of size 1 at addr ffff2000024865df by task kworker/6:2/387
      [   30.916805]
      [   30.918261] CPU: 6 PID: 387 Comm: kworker/6:2 Tainted: G           O      4.20.0-rc3Lyude-Test+ #19
      [   30.927251] Hardware name: amlogic khadas-vim2/khadas-vim2, BIOS 2018.07-rc2-armbian 09/11/2018
      [   30.935964] Workqueue: events brcmf_driver_register [brcmfmac]
      [   30.941641] Call trace:
      [   30.944058]  dump_backtrace+0x0/0x3e8
      [   30.947676]  show_stack+0x14/0x20
      [   30.950968]  dump_stack+0x130/0x1c4
      [   30.954406]  print_address_description+0x60/0x25c
      [   30.959066]  kasan_report+0x1b4/0x368
      [   30.962683]  __asan_report_load1_noabort+0x18/0x20
      [   30.967547]  brcmf_fw_alloc_request+0x42c/0x480 [brcmfmac]
      [   30.967639]  brcmf_sdio_probe+0x163c/0x2050 [brcmfmac]
      [   30.978035]  brcmf_ops_sdio_probe+0x598/0xa08 [brcmfmac]
      [   30.983254]  sdio_bus_probe+0x190/0x398
      [   30.983270]  really_probe+0x2a0/0xa70
      [   30.983296]  driver_probe_device+0x1b4/0x2d8
      [   30.994901]  __driver_attach+0x200/0x280
      [   30.994914]  bus_for_each_dev+0x10c/0x1a8
      [   30.994925]  driver_attach+0x38/0x50
      [   30.994935]  bus_add_driver+0x330/0x608
      [   30.994953]  driver_register+0x140/0x388
      [   31.013965]  sdio_register_driver+0x74/0xa0
      [   31.014076]  brcmf_sdio_register+0x14/0x60 [brcmfmac]
      [   31.023177]  brcmf_driver_register+0xc/0x18 [brcmfmac]
      [   31.023209]  process_one_work+0x654/0x1080
      [   31.032266]  worker_thread+0x4f0/0x1308
      [   31.032286]  kthread+0x2a8/0x320
      [   31.039254]  ret_from_fork+0x10/0x1c
      [   31.039269]
      [   31.044226] The buggy address belongs to the variable:
      [   31.044351]  brcmf_firmware_path+0x11f/0xfffffffffffd3b40 [brcmfmac]
      [   31.055601]
      [   31.057031] Memory state around the buggy address:
      [   31.061800]  ffff200002486480: 04 fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      [   31.068983]  ffff200002486500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   31.068993] >ffff200002486580: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      [   31.068999]                                                     ^
      [   31.069017]  ffff200002486600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [   31.096521]  ffff200002486680: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
      [   31.096528] ==================================================================
      [   31.096533] Disabling lock debugging due to kernel taint
      
      It appears that when trying to determine the length of the string in the
      alternate firmware path, we make the mistake of not handling the case
      where the firmware path is empty correctly. Since strlen(mp_path) can
      return 0, we'll end up accessing mp_path[-1] when the firmware_path
      isn't provided through the module arguments.
      
      So, fix this by just setting the end char to '\0' by default, and only
      changing it if we have a non-zero length. Additionally, use strnlen()
      with BRCMF_FW_ALTPATH_LEN instead of strlen() just to be extra safe.
      
      Fixes: 2baa3aae ("brcmfmac: introduce brcmf_fw_alloc_request() function")
      Cc: Hante Meuleman <hante.meuleman@broadcom.com>
      Cc: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
      Cc: Franky Lin <franky.lin@broadcom.com>
      Cc: Arend van Spriel <arend.vanspriel@broadcom.com>
      Cc: Kalle Valo <kvalo@codeaurora.org>
      Cc: Arend Van Spriel <arend.vanspriel@broadcom.com>
      Cc: Himanshu Jha <himanshujha199640@gmail.com>
      Cc: Dan Haab <dhaab@luxul.com>
      Cc: Jia-Shyr Chuang <saint.chuang@cypress.com>
      Cc: Ian Molton <ian@mnementh.co.uk>
      Cc: <stable@vger.kernel.org> # v4.17+
      Signed-off-by: NLyude Paul <lyude@redhat.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71cda0af
    • S
      brcmfmac: fix roamoff=1 modparam · fad6c183
      Stijn Tintel 提交于
      commit 8c892df41500469729e0d662816300196e4f463d upstream.
      
      When the update_connect_param callback is set, nl80211 expects the flag
      WIPHY_FLAG_SUPPORTS_FW_ROAM to be set as well. However, this flag is
      only set when modparam roamoff=0, while the callback is set
      unconditionally. Since commit 7f9a3e15 this causes a warning in
      wiphy_register, which breaks brcmfmac.
      
      Disable the update_connect_param callback when roamoff=0 to fix this.
      
      Fixes: 7f9a3e15 ("nl80211: Update ERP info using NL80211_CMD_UPDATE_CONNECT_PARAMS")
      Cc: Stable <stable@vger.kernel.org> # 4.19+
      Signed-off-by: NJonas Gorski <jonas.gorski@gmail.com>
      Signed-off-by: NStijn Tintel <stijn@linux-ipv6.be>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fad6c183
    • F
      Btrfs: send, fix race with transaction commits that create snapshots · 9eec74b4
      Filipe Manana 提交于
      commit be6821f82c3cc36e026f5afd10249988852b35ea upstream.
      
      If we create a snapshot of a snapshot currently being used by a send
      operation, we can end up with send failing unexpectedly (returning
      -ENOENT error to user space for example). The following diagram shows
      how this happens.
      
                  CPU 1                                   CPU2                                CPU3
      
       btrfs_ioctl_send()
        (...)
                                           create_snapshot()
                                            -> creates snapshot of a
                                               root used by the send
                                               task
                                            btrfs_commit_transaction()
                                             create_pending_snapshot()
        __get_inode_info()
         btrfs_search_slot()
          btrfs_search_slot_get_root()
           down_read commit_root_sem
      
           get reference on eb of the
           commit root
            -> eb with bytenr == X
      
           up_read commit_root_sem
      
                                              btrfs_cow_block(root node)
                                               btrfs_free_tree_block()
                                                -> creates delayed ref to
                                                   free the extent
      
                                             btrfs_run_delayed_refs()
                                              -> runs the delayed ref,
                                                 adds extent to
                                                 fs_info->pinned_extents
      
                                             btrfs_finish_extent_commit()
                                              unpin_extent_range()
                                               -> marks extent as free
                                                  in the free space cache
      
                                            transaction commit finishes
      
                                                                             btrfs_start_transaction()
                                                                              (...)
                                                                              btrfs_cow_block()
                                                                               btrfs_alloc_tree_block()
                                                                                btrfs_reserve_extent()
                                                                                 -> allocates extent at
                                                                                    bytenr == X
                                                                                btrfs_init_new_buffer(bytenr X)
                                                                                 btrfs_find_create_tree_block()
                                                                                  alloc_extent_buffer(bytenr X)
                                                                                   find_extent_buffer(bytenr X)
                                                                                    -> returns existing eb,
                                                                                       which the send task got
      
                                                                              (...)
                                                                               -> modifies content of the
                                                                                  eb with bytenr == X
      
          -> uses an eb that now
             belongs to some other
             tree and no more matches
             the commit root of the
             snapshot, resuts will be
             unpredictable
      
      The consequences of this race can be various, and can lead to searches in
      the commit root performed by the send task failing unexpectedly (unable to
      find inode items, returning -ENOENT to user space, for example) or not
      failing because an inode item with the same number was added to the tree
      that reused the metadata extent, in which case send can behave incorrectly
      in the worst case or just fail later for some reason.
      
      Fix this by performing a copy of the commit root's extent buffer when doing
      a search in the context of a send operation.
      
      CC: stable@vger.kernel.org # 4.4.x: 1fc28d8e: Btrfs: move get root out of btrfs_search_slot to a helper
      CC: stable@vger.kernel.org # 4.4.x: f9ddfd05: Btrfs: remove unused check of skip_locking
      CC: stable@vger.kernel.org # 4.4.x
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9eec74b4
    • J
      btrfs: run delayed items before dropping the snapshot · 6911b074
      Josef Bacik 提交于
      commit 0568e82dbe2510fc1fa664f58e5c997d3f1e649e upstream.
      
      With my delayed refs patches in place we started seeing a large amount
      of aborts in __btrfs_free_extent:
      
       BTRFS error (device sdb1): unable to find ref byte nr 91947008 parent 0 root 35964  owner 1 offset 0
       Call Trace:
        ? btrfs_merge_delayed_refs+0xaf/0x340
        __btrfs_run_delayed_refs+0x6ea/0xfc0
        ? btrfs_set_path_blocking+0x31/0x60
        btrfs_run_delayed_refs+0xeb/0x180
        btrfs_commit_transaction+0x179/0x7f0
        ? btrfs_check_space_for_delayed_refs+0x30/0x50
        ? should_end_transaction.isra.19+0xe/0x40
        btrfs_drop_snapshot+0x41c/0x7c0
        btrfs_clean_one_deleted_snapshot+0xb5/0xd0
        cleaner_kthread+0xf6/0x120
        kthread+0xf8/0x130
        ? btree_invalidatepage+0x90/0x90
        ? kthread_bind+0x10/0x10
        ret_from_fork+0x35/0x40
      
      This was because btrfs_drop_snapshot depends on the root not being
      modified while it's dropping the snapshot.  It will unlock the root node
      (and really every node) as it walks down the tree, only to re-lock it
      when it needs to do something.  This is a problem because if we modify
      the tree we could cow a block in our path, which frees our reference to
      that block.  Then once we get back to that shared block we'll free our
      reference to it again, and get ENOENT when trying to lookup our extent
      reference to that block in __btrfs_free_extent.
      
      This is ultimately happening because we have delayed items left to be
      processed for our deleted snapshot _after_ all of the inodes are closed
      for the snapshot.  We only run the delayed inode item if we're deleting
      the inode, and even then we do not run the delayed insertions or delayed
      removals.  These can be run at any point after our final inode does its
      last iput, which is what triggers the snapshot deletion.  We can end up
      with the snapshot deletion happening and then have the delayed items run
      on that file system, resulting in the above problem.
      
      This problem has existed forever, however my patches made it much easier
      to hit as I wake up the cleaner much more often to deal with delayed
      iputs, which made us more likely to start the snapshot dropping work
      before the transaction commits, which is when the delayed items would
      generally be run.  Before, generally speaking, we would run the delayed
      items, commit the transaction, and wakeup the cleaner thread to start
      deleting snapshots, which means we were less likely to hit this problem.
      You could still hit it if you had multiple snapshots to be deleted and
      ended up with lots of delayed items, but it was definitely harder.
      
      Fix for now by simply running all the delayed items before starting to
      drop the snapshot.  We could make this smarter in the future by making
      the delayed items per-root, and then simply drop any delayed items for
      roots that we are going to delete.  But for now just a quick and easy
      solution is the safest.
      
      CC: stable@vger.kernel.org # 4.4+
      Reviewed-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NJosef Bacik <josef@toxicpanda.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6911b074
    • F
      Btrfs: fix fsync of files with multiple hard links in new directories · 10b04210
      Filipe Manana 提交于
      commit 41bd60676923822de1df2c50b3f9a10171f4338a upstream.
      
      The log tree has a long standing problem that when a file is fsync'ed we
      only check for new ancestors, created in the current transaction, by
      following only the hard link for which the fsync was issued. We follow the
      ancestors using the VFS' dget_parent() API. This means that if we create a
      new link for a file in a directory that is new (or in an any other new
      ancestor directory) and then fsync the file using an old hard link, we end
      up not logging the new ancestor, and on log replay that new hard link and
      ancestor do not exist. In some cases, involving renames, the file will not
      exist at all.
      
      Example:
      
        mkfs.btrfs -f /dev/sdb
        mount /dev/sdb /mnt
      
        mkdir /mnt/A
        touch /mnt/foo
        ln /mnt/foo /mnt/A/bar
        xfs_io -c fsync /mnt/foo
      
        <power failure>
      
      In this example after log replay only the hard link named 'foo' exists
      and directory A does not exist, which is unexpected. In other major linux
      filesystems, such as ext4, xfs and f2fs for example, both hard links exist
      and so does directory A after mounting again the filesystem.
      
      Checking if any new ancestors are new and need to be logged was added in
      2009 by commit 12fcfd22 ("Btrfs: tree logging unlink/rename fixes"),
      however only for the ancestors of the hard link (dentry) for which the
      fsync was issued, instead of checking for all ancestors for all of the
      inode's hard links.
      
      So fix this by tracking the id of the last transaction where a hard link
      was created for an inode and then on fsync fallback to a full transaction
      commit when an inode has more than one hard link and at least one new hard
      link was created in the current transaction. This is the simplest solution
      since this is not a common use case (adding frequently hard links for
      which there's an ancestor created in the current transaction and then
      fsync the file). In case it ever becomes a common use case, a solution
      that consists of iterating the fs/subvol btree for each hard link and
      check if any ancestor is new, could be implemented.
      
      This solves many unexpected scenarios reported by Jayashree Mohan and
      Vijay Chidambaram, and for which there is a new test case for fstests
      under review.
      
      Fixes: 12fcfd22 ("Btrfs: tree logging unlink/rename fixes")
      CC: stable@vger.kernel.org # 4.4+
      Reported-by: NVijay Chidambaram <vvijay03@gmail.com>
      Reported-by: NJayashree Mohan <jayashree2912@gmail.com>
      Signed-off-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      10b04210
    • L
      btrfs: skip file_extent generation check for free_space_inode in run_delalloc_nocow · 7708a830
      Lu Fengqi 提交于
      commit 27a7ff554e8d349627a90bda275c527b7348adae upstream.
      
      The test case btrfs/001 with inode_cache mount option will encounter the
      following warning:
      
        WARNING: CPU: 1 PID: 23700 at fs/btrfs/inode.c:956 cow_file_range.isra.19+0x32b/0x430 [btrfs]
        CPU: 1 PID: 23700 Comm: btrfs Kdump: loaded Tainted: G        W  O      4.20.0-rc4-custom+ #30
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
        RIP: 0010:cow_file_range.isra.19+0x32b/0x430 [btrfs]
        Call Trace:
         ? free_extent_buffer+0x46/0x90 [btrfs]
         run_delalloc_nocow+0x455/0x900 [btrfs]
         btrfs_run_delalloc_range+0x1a7/0x360 [btrfs]
         writepage_delalloc+0xf9/0x150 [btrfs]
         __extent_writepage+0x125/0x3e0 [btrfs]
         extent_write_cache_pages+0x1b6/0x3e0 [btrfs]
         ? __wake_up_common_lock+0x63/0xc0
         extent_writepages+0x50/0x80 [btrfs]
         do_writepages+0x41/0xd0
         ? __filemap_fdatawrite_range+0x9e/0xf0
         __filemap_fdatawrite_range+0xbe/0xf0
         btrfs_fdatawrite_range+0x1b/0x50 [btrfs]
         __btrfs_write_out_cache+0x42c/0x480 [btrfs]
         btrfs_write_out_ino_cache+0x84/0xd0 [btrfs]
         btrfs_save_ino_cache+0x551/0x660 [btrfs]
         commit_fs_roots+0xc5/0x190 [btrfs]
         btrfs_commit_transaction+0x2bf/0x8d0 [btrfs]
         btrfs_mksubvol+0x48d/0x4d0 [btrfs]
         btrfs_ioctl_snap_create_transid+0x170/0x180 [btrfs]
         btrfs_ioctl_snap_create_v2+0x124/0x180 [btrfs]
         btrfs_ioctl+0x123f/0x3030 [btrfs]
      
      The file extent generation of the free space inode is equal to the last
      snapshot of the file root, so the inode will be passed to cow_file_rage.
      But the inode was created and its extents were preallocated in
      btrfs_save_ino_cache, there are no cow copies on disk.
      
      The preallocated extent is not yet in the extent tree, and
      btrfs_cross_ref_exist will ignore the -ENOENT returned by
      check_committed_ref, so we can directly write the inode to the disk.
      
      Fixes: 78d4295b ("btrfs: lift some btrfs_cross_ref_exist checks in nocow path")
      CC: stable@vger.kernel.org # 4.18+
      Reviewed-by: NFilipe Manana <fdmanana@suse.com>
      Signed-off-by: NLu Fengqi <lufq.fnst@cn.fujitsu.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7708a830
    • A
      btrfs: dev-replace: go back to suspend state if another EXCL_OP is running · c1f90eb0
      Anand Jain 提交于
      commit 05c49e6bc1e8866ecfd674ebeeb58cdbff9145c2 upstream.
      
      In a secnario where balance and replace co-exists as below,
      
        - start balance
        - pause balance
        - start replace
        - reboot
      
      and when system restarts, balance resumes first. Then the replace is
      attempted to restart but will fail as the EXCL_OP lock is already held
      by the balance. If so place the replace state back to
      BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED state.
      
      Fixes: 010a47bd ("btrfs: add proper safety check before resuming dev-replace")
      CC: stable@vger.kernel.org # 4.18+
      Signed-off-by: NAnand Jain <anand.jain@oracle.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c1f90eb0
    • A
      btrfs: dev-replace: go back to suspended state if target device is missing · 28867a52
      Anand Jain 提交于
      commit 0d228ece59a35a9b9e8ff0d40653234a6d90f61e upstream.
      
      At the time of forced unmount we place the running replace to
      BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED state, so when the system comes
      back and expect the target device is missing.
      
      Then let the replace state continue to be in
      BTRFS_IOCTL_DEV_REPLACE_STATE_SUSPENDED state instead of
      BTRFS_IOCTL_DEV_REPLACE_STATE_STARTED as there isn't any matching scrub
      running as part of replace.
      
      Fixes: e93c89c1 ("Btrfs: add new sources for device replace code")
      CC: stable@vger.kernel.org # 4.4+
      Signed-off-by: NAnand Jain <anand.jain@oracle.com>
      Reviewed-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NDavid Sterba <dsterba@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28867a52
    • M
      cdc-acm: fix abnormal DATA RX issue for Mediatek Preloader. · 326ca6bd
      Macpaul Lin 提交于
      commit eafb27fa5283599ce6c5492ea18cf636a28222bb upstream.
      
      Mediatek Preloader is a proprietary embedded boot loader for loading
      Little Kernel and Linux into device DRAM.
      
      This boot loader also handle firmware update. Mediatek Preloader will be
      enumerated as a virtual COM port when the device is connected to Windows
      or Linux OS via CDC-ACM class driver. When the USB enumeration has been
      done, Mediatek Preloader will send out handshake command "READY" to PC
      actively instead of waiting command from the download tool.
      
      Since Linux 4.12, the commit "tty: reset termios state on device
      registration" (93857edd) causes Mediatek
      Preloader receiving some abnoraml command like "READYXX" as it sent.
      This will be recognized as an incorrect response. The behavior change
      also causes the download handshake fail. This change only affects
      subsequent connects if the reconnected device happens to get the same minor
      number.
      
      By disabling the ECHO termios flag could avoid this problem. However, it
      cannot be done by user space configuration when download tool open
      /dev/ttyACM0. This is because the device running Mediatek Preloader will
      send handshake command "READY" immediately once the CDC-ACM driver is
      ready.
      
      This patch wants to fix above problem by introducing "DISABLE_ECHO"
      property in driver_info. When Mediatek Preloader is connected, the
      CDC-ACM driver could disable ECHO flag in termios to avoid the problem.
      Signed-off-by: NMacpaul Lin <macpaul.lin@mediatek.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      Acked-by: NOliver Neukum <oneukum@suse.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      326ca6bd
    • T
      cgroup: fix CSS_TASK_ITER_PROCS · 8a2fbdd5
      Tejun Heo 提交于
      commit e9d81a1bc2c48ea9782e3e8b53875f419766ef47 upstream.
      
      CSS_TASK_ITER_PROCS implements process-only iteration by making
      css_task_iter_advance() skip tasks which aren't threadgroup leaders;
      however, when an iteration is started css_task_iter_start() calls the
      inner helper function css_task_iter_advance_css_set() instead of
      css_task_iter_advance().  As the helper doesn't have the skip logic,
      when the first task to visit is a non-leader thread, it doesn't get
      skipped correctly as shown in the following example.
      
        # ps -L 2030
          PID   LWP TTY      STAT   TIME COMMAND
         2030  2030 pts/0    Sl+    0:00 ./test-thread
         2030  2031 pts/0    Sl+    0:00 ./test-thread
        # mkdir -p /sys/fs/cgroup/x/a/b
        # echo threaded > /sys/fs/cgroup/x/a/cgroup.type
        # echo threaded > /sys/fs/cgroup/x/a/b/cgroup.type
        # echo 2030 > /sys/fs/cgroup/x/a/cgroup.procs
        # cat /sys/fs/cgroup/x/a/cgroup.threads
        2030
        2031
        # cat /sys/fs/cgroup/x/cgroup.procs
        2030
        # echo 2030 > /sys/fs/cgroup/x/a/b/cgroup.threads
        # cat /sys/fs/cgroup/x/cgroup.procs
        2031
        2030
      
      The last read of cgroup.procs is incorrectly showing non-leader 2031
      in cgroup.procs output.
      
      This can be fixed by updating css_task_iter_advance() to handle the
      first advance and css_task_iters_tart() to call
      css_task_iter_advance() instead of the inner helper.  After the fix,
      the same commands result in the following (correct) result:
      
        # ps -L 2062
          PID   LWP TTY      STAT   TIME COMMAND
         2062  2062 pts/0    Sl+    0:00 ./test-thread
         2062  2063 pts/0    Sl+    0:00 ./test-thread
        # mkdir -p /sys/fs/cgroup/x/a/b
        # echo threaded > /sys/fs/cgroup/x/a/cgroup.type
        # echo threaded > /sys/fs/cgroup/x/a/b/cgroup.type
        # echo 2062 > /sys/fs/cgroup/x/a/cgroup.procs
        # cat /sys/fs/cgroup/x/a/cgroup.threads
        2062
        2063
        # cat /sys/fs/cgroup/x/cgroup.procs
        2062
        # echo 2062 > /sys/fs/cgroup/x/a/b/cgroup.threads
        # cat /sys/fs/cgroup/x/cgroup.procs
        2062
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Reported-by: N"Michael Kerrisk (man-pages)" <mtk.manpages@gmail.com>
      Fixes: 8cfd8147 ("cgroup: implement cgroup v2 thread support")
      Cc: stable@vger.kernel.org # v4.14+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a2fbdd5
    • D
      crypto: cfb - fix decryption · 99dcd45f
      Dmitry Eremin-Solenikov 提交于
      commit fa4600734b74f74d9169c3015946d4722f8bcf79 upstream.
      
      crypto_cfb_decrypt_segment() incorrectly XOR'ed generated keystream with
      IV, rather than with data stream, resulting in incorrect decryption.
      Test vectors will be added in the next patch.
      Signed-off-by: NDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      99dcd45f
    • D
      crypto: testmgr - add AES-CFB tests · d8e4b24f
      Dmitry Eremin-Solenikov 提交于
      commit 7da66670775d201f633577f5b15a4bbeebaaa2b0 upstream.
      
      Add AES128/192/256-CFB testvectors from NIST SP800-38A.
      Signed-off-by: NDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NDmitry Eremin-Solenikov <dbaryshkov@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d8e4b24f
    • A
      crypto: chcr - small packet Tx stalls the queue · cc43a8af
      Atul Gupta 提交于
      commit c35828ea906a7c76632a0211e59c392903cd4615 upstream.
      
      Immediate packets sent to hardware should include the work
      request length in calculating the flits. WR occupy one flit and
      if not accounted result in invalid request which stalls the HW
      queue.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAtul Gupta <atul.gupta@chelsio.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cc43a8af
    • W
      crypto: cavium/nitrox - fix a DMA pool free failure · 0fa6bead
      Wenwen Wang 提交于
      commit 7172122be6a4712d699da4d261f92aa5ab3a78b8 upstream.
      
      In crypto_alloc_context(), a DMA pool is allocated through dma_pool_alloc()
      to hold the crypto context. The meta data of the DMA pool, including the
      pool used for the allocation 'ndev->ctx_pool' and the base address of the
      DMA pool used by the device 'dma', are then stored to the beginning of the
      pool. These meta data are eventually used in crypto_free_context() to free
      the DMA pool through dma_pool_free(). However, given that the DMA pool can
      also be accessed by the device, a malicious device can modify these meta
      data, especially when the device is controlled to deploy an attack. This
      can cause an unexpected DMA pool free failure.
      
      To avoid the above issue, this patch introduces a new structure
      crypto_ctx_hdr and a new field chdr in the structure nitrox_crypto_ctx hold
      the meta data information of the DMA pool after the allocation. Note that
      the original structure ctx_hdr is not changed to ensure the compatibility.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0fa6bead