1. 13 11月, 2019 30 次提交
    • C
      arm64: Do not mask out PTE_RDONLY in pte_same() · 3840610d
      Catalin Marinas 提交于
      commit 6767df245f4736d0cf0c6fb7cf9cf94b27414245 upstream.
      
      Following commit 73e86cb0 ("arm64: Move PTE_RDONLY bit handling out
      of set_pte_at()"), the PTE_RDONLY bit is no longer managed by
      set_pte_at() but built into the PAGE_* attribute definitions.
      Consequently, pte_same() must include this bit when checking two PTEs
      for equality.
      
      Remove the arm64-specific pte_same() function, practically reverting
      commit 747a70e6 ("arm64: Fix copy-on-write referencing in HugeTLB")
      
      Fixes: 73e86cb0 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()")
      Cc: <stable@vger.kernel.org> # 4.14.x-
      Cc: Will Deacon <will@kernel.org>
      Cc: Steve Capper <steve.capper@arm.com>
      Reported-by: NJohn Stultz <john.stultz@linaro.org>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: NWill Deacon <will@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3840610d
    • B
      soundwire: bus: set initial value to port_status · 56f270a1
      Bard Liao 提交于
      commit f1fac63af678b2fc1044ca71fedf1f2ae8bf7c3b upstream.
      
      port_status[port_num] are assigned for each port_num in some if
      conditions. So some of the port_status may not be initialized.
      Signed-off-by: NBard Liao <yung-chuan.liao@linux.intel.com>
      Reviewed-by: NPierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
      Link: https://lore.kernel.org/r/20190829181135.16049-1-yung-chuan.liao@linux.intel.comSigned-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      56f270a1
    • M
      soundwire: depend on ACPI · 9a06efc7
      Michal Suchanek 提交于
      commit 52eb063d153ac310058fbaa91577a72c0e7a7169 upstream.
      
      The device cannot be probed on !ACPI and gives this warning:
      
      drivers/soundwire/slave.c:16:12: warning: ‘sdw_slave_add’ defined but
      not used [-Wunused-function]
       static int sdw_slave_add(struct sdw_bus *bus,
                  ^~~~~~~~~~~~~
      
      Cc: stable@vger.kernel.org
      Fixes: 7c3cd189 ("soundwire: Add Master registration")
      Signed-off-by: NMichal Suchanek <msuchanek@suse.de>
      Link: https://lore.kernel.org/r/bd685232ea511251eeb9554172f1524eabf9a46e.1570097621.git.msuchanek@suse.deSigned-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a06efc7
    • J
      HID: wacom: generic: Treat serial number and related fields as unsigned · a81a4637
      Jason Gerecke 提交于
      commit ff479731c3859609530416a18ddb3db5db019b66 upstream.
      
      The HID descriptors for most Wacom devices oddly declare the serial
      number and other related fields as signed integers. When these numbers
      are ingested by the HID subsystem, they are automatically sign-extended
      into 32-bit integers. We treat the fields as unsigned elsewhere in the
      kernel and userspace, however, so this sign-extension causes problems.
      In particular, the sign-extended tool ID sent to userspace as ABS_MISC
      does not properly match unsigned IDs used by xf86-input-wacom and libwacom.
      
      We introduce a function 'wacom_s32tou' that can undo the automatic sign
      extension performed by 'hid_snto32'. We call this function when processing
      the serial number and related fields to ensure that we are dealing with
      and reporting the unsigned form. We opt to use this method rather than
      adding a descriptor fixup in 'wacom_hid_usage_quirk' since it should be
      more robust in the face of future devices.
      
      Ref: https://github.com/linuxwacom/input-wacom/issues/134
      Fixes: f85c9dc6 ("HID: wacom: generic: Support tool ID and additional tool types")
      CC: <stable@vger.kernel.org> # v4.10+
      Signed-off-by: NJason Gerecke <jason.gerecke@wacom.com>
      Reviewed-by: NAaron Armstrong Skomra <aaron.skomra@wacom.com>
      Signed-off-by: NJiri Kosina <jkosina@suse.cz>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a81a4637
    • A
      drm/radeon: fix si_enable_smc_cac() failed issue · e3fdd0c1
      Alex Deucher 提交于
      commit 2c409ba81be25516afe05ae27a4a15da01740b01 upstream.
      
      Need to set the dte flag on this asic.
      
      Port the fix from amdgpu:
      5cb818b8 ("drm/amd/amdgpu: fix si_enable_smc_cac() failed issue")
      Reviewed-by: NYong Zhao <yong.zhao@amd.com>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e3fdd0c1
    • J
      perf tools: Fix time sorting · f39fbd05
      Jiri Olsa 提交于
      commit 722ddfde366fd46205456a9c5ff9b3359dc9a75e upstream.
      
      The final sort might get confused when the comparison is done over
      bigger numbers than int like for -s time.
      
      Check the following report for longer workloads:
      
        $ perf report -s time -F time,overhead --stdio
      
      Fix hist_entry__sort() to properly return int64_t and not possible cut
      int.
      
      Fixes: 043ca389 ("perf tools: Use hpp formats to sort final output")
      Signed-off-by: NJiri Olsa <jolsa@kernel.org>
      Reviewed-by: NAndi Kleen <ak@linux.intel.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Michael Petlan <mpetlan@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: stable@vger.kernel.org # v3.16+
      Link: http://lore.kernel.org/lkml/20191104232711.16055-1-jolsa@kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f39fbd05
    • S
      tools: gpio: Use !building_out_of_srctree to determine srctree · 66d53cd6
      Shuah Khan 提交于
      commit 4a6a6f5c4aeedb72db871d60bfcca89835f317aa upstream.
      
      make TARGETS=gpio kselftest fails with:
      
      Makefile:23: tools/build/Makefile.include: No such file or directory
      
      When the gpio tool make is invoked from tools Makefile, srctree is
      cleared and the current logic check for srctree equals to empty
      string to determine srctree location from CURDIR.
      
      When the build in invoked from selftests/gpio Makefile, the srctree
      is set to "." and the same logic used for srctree equals to empty is
      needed to determine srctree.
      
      Check building_out_of_srctree undefined as the condition for both
      cases to fix "make TARGETS=gpio kselftest" build failure.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NShuah Khan <skhan@linuxfoundation.org>
      Signed-off-by: NBartosz Golaszewski <bgolaszewski@baylibre.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66d53cd6
    • K
      dump_stack: avoid the livelock of the dump_lock · 8e358a02
      Kevin Hao 提交于
      commit 5cbf2fff3bba8d3c6a4d47c1754de1cf57e2b01f upstream.
      
      In the current code, we use the atomic_cmpxchg() to serialize the output
      of the dump_stack(), but this implementation suffers the thundering herd
      problem.  We have observed such kind of livelock on a Marvell cn96xx
      board(24 cpus) when heavily using the dump_stack() in a kprobe handler.
      Actually we can let the competitors to wait for the releasing of the
      lock before jumping to atomic_cmpxchg().  This will definitely mitigate
      the thundering herd problem.  Thanks Linus for the suggestion.
      
      [akpm@linux-foundation.org: fix comment]
      Link: http://lkml.kernel.org/r/20191030031637.6025-1-haokexin@gmail.com
      Fixes: b58d9774 ("dump_stack: serialize the output from dump_stack()")
      Signed-off-by: NKevin Hao <haokexin@gmail.com>
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e358a02
    • M
      mm, vmstat: hide /proc/pagetypeinfo from normal users · 6c944fc5
      Michal Hocko 提交于
      commit abaed0112c1db08be15a784a2c5c8a8b3063cdd3 upstream.
      
      /proc/pagetypeinfo is a debugging tool to examine internal page
      allocator state wrt to fragmentation.  It is not very useful for any
      other use so normal users really do not need to read this file.
      
      Waiman Long has noticed that reading this file can have negative side
      effects because zone->lock is necessary for gathering data and that a)
      interferes with the page allocator and its users and b) can lead to hard
      lockups on large machines which have very long free_list.
      
      Reduce both issues by simply not exporting the file to regular users.
      
      Link: http://lkml.kernel.org/r/20191025072610.18526-2-mhocko@kernel.org
      Fixes: 467c996c ("Print out statistics in relation to fragmentation avoidance to /proc/pagetypeinfo")
      Signed-off-by: NMichal Hocko <mhocko@suse.com>
      Reported-by: NWaiman Long <longman@redhat.com>
      Acked-by: NMel Gorman <mgorman@suse.de>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Acked-by: NWaiman Long <longman@redhat.com>
      Acked-by: NRafael Aquini <aquini@redhat.com>
      Acked-by: NDavid Rientjes <rientjes@google.com>
      Reviewed-by: NAndrew Morton <akpm@linux-foundation.org>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Johannes Weiner <hannes@cmpxchg.org>
      Cc: Roman Gushchin <guro@fb.com>
      Cc: Konstantin Khlebnikov <khlebnikov@yandex-team.ru>
      Cc: Jann Horn <jannh@google.com>
      Cc: Song Liu <songliubraving@fb.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c944fc5
    • Y
      mm: thp: handle page cache THP correctly in PageTransCompoundMap · 2686f71f
      Yang Shi 提交于
      commit 169226f7e0d275c1879551f37484ef6683579a5c upstream.
      
      We have a usecase to use tmpfs as QEMU memory backend and we would like
      to take the advantage of THP as well.  But, our test shows the EPT is
      not PMD mapped even though the underlying THP are PMD mapped on host.
      The number showed by /sys/kernel/debug/kvm/largepage is much less than
      the number of PMD mapped shmem pages as the below:
      
        7f2778200000-7f2878200000 rw-s 00000000 00:14 262232 /dev/shm/qemu_back_mem.mem.Hz2hSf (deleted)
        Size:            4194304 kB
        [snip]
        AnonHugePages:         0 kB
        ShmemPmdMapped:   579584 kB
        [snip]
        Locked:                0 kB
      
        cat /sys/kernel/debug/kvm/largepages
        12
      
      And some benchmarks do worse than with anonymous THPs.
      
      By digging into the code we figured out that commit 127393fb ("mm:
      thp: kvm: fix memory corruption in KVM with THP enabled") checks if
      there is a single PTE mapping on the page for anonymous THP when setting
      up EPT map.  But the _mapcount < 0 check doesn't work for page cache THP
      since every subpage of page cache THP would get _mapcount inc'ed once it
      is PMD mapped, so PageTransCompoundMap() always returns false for page
      cache THP.  This would prevent KVM from setting up PMD mapped EPT entry.
      
      So we need handle page cache THP correctly.  However, when page cache
      THP's PMD gets split, kernel just remove the map instead of setting up
      PTE map like what anonymous THP does.  Before KVM calls get_user_pages()
      the subpages may get PTE mapped even though it is still a THP since the
      page cache THP may be mapped by other processes at the mean time.
      
      Checking its _mapcount and whether the THP has PTE mapped or not.
      Although this may report some false negative cases (PTE mapped by other
      processes), it looks not trivial to make this accurate.
      
      With this fix /sys/kernel/debug/kvm/largepage would show reasonable
      pages are PMD mapped by EPT as the below:
      
        7fbeaee00000-7fbfaee00000 rw-s 00000000 00:14 275464 /dev/shm/qemu_back_mem.mem.SKUvat (deleted)
        Size:            4194304 kB
        [snip]
        AnonHugePages:         0 kB
        ShmemPmdMapped:   557056 kB
        [snip]
        Locked:                0 kB
      
        cat /sys/kernel/debug/kvm/largepages
        271
      
      And the benchmarks are as same as anonymous THPs.
      
      [yang.shi@linux.alibaba.com: v4]
        Link: http://lkml.kernel.org/r/1571865575-42913-1-git-send-email-yang.shi@linux.alibaba.com
      Link: http://lkml.kernel.org/r/1571769577-89735-1-git-send-email-yang.shi@linux.alibaba.com
      Fixes: dd78fedd ("rmap: support file thp")
      Signed-off-by: NYang Shi <yang.shi@linux.alibaba.com>
      Reported-by: NGang Deng <gavin.dg@linux.alibaba.com>
      Tested-by: NGang Deng <gavin.dg@linux.alibaba.com>
      Suggested-by: NHugh Dickins <hughd@google.com>
      Acked-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: Matthew Wilcox <willy@infradead.org>
      Cc: <stable@vger.kernel.org>	[4.8+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2686f71f
    • M
      mm, meminit: recalculate pcpu batch and high limits after init completes · 7dfa51be
      Mel Gorman 提交于
      commit 3e8fc0075e24338b1117cdff6a79477427b8dbed upstream.
      
      Deferred memory initialisation updates zone->managed_pages during the
      initialisation phase but before that finishes, the per-cpu page
      allocator (pcpu) calculates the number of pages allocated/freed in
      batches as well as the maximum number of pages allowed on a per-cpu
      list.  As zone->managed_pages is not up to date yet, the pcpu
      initialisation calculates inappropriately low batch and high values.
      
      This increases zone lock contention quite severely in some cases with
      the degree of severity depending on how many CPUs share a local zone and
      the size of the zone.  A private report indicated that kernel build
      times were excessive with extremely high system CPU usage.  A perf
      profile indicated that a large chunk of time was lost on zone->lock
      contention.
      
      This patch recalculates the pcpu batch and high values after deferred
      initialisation completes for every populated zone in the system.  It was
      tested on a 2-socket AMD EPYC 2 machine using a kernel compilation
      workload -- allmodconfig and all available CPUs.
      
      mmtests configuration: config-workload-kernbench-max Configuration was
      modified to build on a fresh XFS partition.
      
      kernbench
                                      5.4.0-rc3              5.4.0-rc3
                                        vanilla           resetpcpu-v2
      Amean     user-256    13249.50 (   0.00%)    16401.31 * -23.79%*
      Amean     syst-256    14760.30 (   0.00%)     4448.39 *  69.86%*
      Amean     elsp-256      162.42 (   0.00%)      119.13 *  26.65%*
      Stddev    user-256       42.97 (   0.00%)       19.15 (  55.43%)
      Stddev    syst-256      336.87 (   0.00%)        6.71 (  98.01%)
      Stddev    elsp-256        2.46 (   0.00%)        0.39 (  84.03%)
      
                         5.4.0-rc3    5.4.0-rc3
                           vanilla resetpcpu-v2
      Duration User       39766.24     49221.79
      Duration System     44298.10     13361.67
      Duration Elapsed      519.11       388.87
      
      The patch reduces system CPU usage by 69.86% and total build time by
      26.65%.  The variance of system CPU usage is also much reduced.
      
      Before, this was the breakdown of batch and high values over all zones
      was:
      
          256               batch: 1
          256               batch: 63
          512               batch: 7
          256               high:  0
          256               high:  378
          512               high:  42
      
      512 pcpu pagesets had a batch limit of 7 and a high limit of 42.  After
      the patch:
      
          256               batch: 1
          768               batch: 63
          256               high:  0
          768               high:  378
      
      [mgorman@techsingularity.net: fix merge/linkage snafu]
        Link: http://lkml.kernel.org/r/20191023084705.GD3016@techsingularity.netLink: http://lkml.kernel.org/r/20191021094808.28824-2-mgorman@techsingularity.netSigned-off-by: NMel Gorman <mgorman@techsingularity.net>
      Acked-by: NMichal Hocko <mhocko@suse.com>
      Acked-by: NVlastimil Babka <vbabka@suse.cz>
      Acked-by: NDavid Hildenbrand <david@redhat.com>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Qian Cai <cai@lca.pw>
      Cc: <stable@vger.kernel.org>	[4.1+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7dfa51be
    • J
      mm: memcontrol: fix network errors from failing __GFP_ATOMIC charges · 8e6bf4bc
      Johannes Weiner 提交于
      commit 869712fd3de5a90b7ba23ae1272278cddc66b37b upstream.
      
      While upgrading from 4.16 to 5.2, we noticed these allocation errors in
      the log of the new kernel:
      
        SLUB: Unable to allocate memory on node -1, gfp=0xa20(GFP_ATOMIC)
          cache: tw_sock_TCPv6(960:helper-logs), object size: 232, buffer size: 240, default order: 1, min order: 0
          node 0: slabs: 5, objs: 170, free: 0
      
              slab_out_of_memory+1
              ___slab_alloc+969
              __slab_alloc+14
              kmem_cache_alloc+346
              inet_twsk_alloc+60
              tcp_time_wait+46
              tcp_fin+206
              tcp_data_queue+2034
              tcp_rcv_state_process+784
              tcp_v6_do_rcv+405
              __release_sock+118
              tcp_close+385
              inet_release+46
              __sock_release+55
              sock_close+17
              __fput+170
              task_work_run+127
              exit_to_usermode_loop+191
              do_syscall_64+212
              entry_SYSCALL_64_after_hwframe+68
      
      accompanied by an increase in machines going completely radio silent
      under memory pressure.
      
      One thing that changed since 4.16 is e699e2c6 ("net, mm: account
      sock objects to kmemcg"), which made these slab caches subject to cgroup
      memory accounting and control.
      
      The problem with that is that cgroups, unlike the page allocator, do not
      maintain dedicated atomic reserves.  As a cgroup's usage hovers at its
      limit, atomic allocations - such as done during network rx - can fail
      consistently for extended periods of time.  The kernel is not able to
      operate under these conditions.
      
      We don't want to revert the culprit patch, because it indeed tracks a
      potentially substantial amount of memory used by a cgroup.
      
      We also don't want to implement dedicated atomic reserves for cgroups.
      There is no point in keeping a fixed margin of unused bytes in the
      cgroup's memory budget to accomodate a consumer that is impossible to
      predict - we'd be wasting memory and get into configuration headaches,
      not unlike what we have going with min_free_kbytes.  We do this for
      physical mem because we have to, but cgroups are an accounting game.
      
      Instead, account these privileged allocations to the cgroup, but let
      them bypass the configured limit if they have to.  This way, we get the
      benefits of accounting the consumed memory and have it exert pressure on
      the rest of the cgroup, but like with the page allocator, we shift the
      burden of reclaimining on behalf of atomic allocations onto the regular
      allocations that can block.
      
      Link: http://lkml.kernel.org/r/20191022233708.365764-1-hannes@cmpxchg.org
      Fixes: e699e2c6 ("net, mm: account sock objects to kmemcg")
      Signed-off-by: NJohannes Weiner <hannes@cmpxchg.org>
      Reviewed-by: NShakeel Butt <shakeelb@google.com>
      Cc: Suleiman Souhlal <suleiman@google.com>
      Cc: Michal Hocko <mhocko@kernel.org>
      Cc: <stable@vger.kernel.org>	[4.18+]
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e6bf4bc
    • T
      ALSA: hda/ca0132 - Fix possible workqueue stall · 6ecc1635
      Takashi Iwai 提交于
      commit 15c2b3cc09a31620914955cb2a89c277c18ee999 upstream.
      
      The unsolicited event handler for the headphone jack on CA0132 codec
      driver tries to reschedule the another delayed work with
      cancel_delayed_work_sync().  It's no good idea, unfortunately,
      especially after we changed the work queue to the standard global
      one; this may lead to a stall because both works are using the same
      global queue.
      
      Fix it by dropping the _sync but does call cancel_delayed_work()
      instead.
      
      Fixes: 993884f6 ("ALSA: hda/ca0132 - Delay HP amp turnon.")
      BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1155836
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191105134316.19294-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6ecc1635
    • T
      ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series · 6921b160
      Takashi Sakamoto 提交于
      commit 706ad6746a66546daf96d4e4a95e46faf6cf689a upstream.
      
      For Focusrite Saffire Pro i/o, the lowest 8 bits of register represents
      configured source of sampling clock. The next lowest 8 bits represents
      whether the configured source is actually detected or not just after
      the register is changed for the source.
      
      Current implementation evaluates whole the register to detect configured
      source. This results in failure due to the next lowest 8 bits when the
      source is connected in advance.
      
      This commit fixes the bug.
      
      Fixes: 25784ec2 ("ALSA: bebob: Add support for Focusrite Saffire/SaffirePro series")
      Cc: <stable@vger.kernel.org> # v3.16+
      Signed-off-by: NTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Link: https://lore.kernel.org/r/20191102150920.20367-1-o-takashi@sakamocchi.jpSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6921b160
    • T
      ALSA: timer: Fix incorrectly assigned timer instance · b8547224
      Takashi Iwai 提交于
      commit e7af6307a8a54f0b873960b32b6a644f2d0fbd97 upstream.
      
      The clean up commit 41672c0c24a6 ("ALSA: timer: Simplify error path in
      snd_timer_open()") unified the error handling code paths with the
      standard goto, but it introduced a subtle bug: the timer instance is
      stored in snd_timer_open() incorrectly even if it returns an error.
      This may eventually lead to UAF, as spotted by fuzzer.
      
      The culprit is the snd_timer_open() code checks the
      SNDRV_TIMER_IFLG_EXCLUSIVE flag with the common variable timeri.
      This variable is supposed to be the newly created instance, but we
      (ab-)used it for a temporary check before the actual creation of a
      timer instance.  After that point, there is another check for the max
      number of instances, and it bails out if over the threshold.  Before
      the refactoring above, it worked fine because the code returned
      directly from that point.  After the refactoring, however, it jumps to
      the unified error path that stores the timeri variable in return --
      even if it returns an error.  Unfortunately this stored value is kept
      in the caller side (snd_timer_user_tselect()) in tu->timeri.  This
      causes inconsistency later, as if the timer was successfully
      assigned.
      
      In this patch, we fix it by not re-using timeri variable but a
      temporary variable for testing the exclusive connection, so timeri
      remains NULL at that point.
      
      Fixes: 41672c0c24a6 ("ALSA: timer: Simplify error path in snd_timer_open()")
      Reported-and-tested-by: NTristan Madani <tristmd@gmail.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191106165547.23518-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b8547224
    • S
      net: hns: Fix the stray netpoll locks causing deadlock in NAPI path · 107451b8
      Salil Mehta 提交于
      [ Upstream commit bf5a6b4c474c589244dc25ee1af2c3c829228ef8 ]
      
      This patch fixes the problem of the spin locks, originally
      meant for the netpoll path of hns driver, causing deadlock in
      the normal NAPI poll path. The issue happened due to the presence
      of the stray leftover spin lock code related to the netpoll,
      whose support was earlier removed from the HNS[1], got activated
      due to enabling of NET_POLL_CONTROLLER switch.
      
      Earlier background:
      The netpoll handling code originally had this bug(as identified
      by Marc Zyngier[2]) of wrong spin lock API being used which did
      not disable the interrupts and hence could cause locking issues.
      i.e. if the lock were first acquired in context to thread like
      'ip' util and this lock if ever got later acquired again in
      context to the interrupt context like TX/RX (Interrupts could
      always pre-empt the lock holding task and acquire the lock again)
      and hence could cause deadlock.
      
      Proposed Solution:
      1. If the netpoll was enabled in the HNS driver, which is not
         right now, we could have simply used spin_[un]lock_irqsave()
      2. But as netpoll is disabled, therefore, it is best to get rid
         of the existing locks and stray code for now. This should
         solve the problem reported by Marc.
      
      [1] https://git.kernel.org/torvalds/c/4bd2c03be7
      [2] https://patchwork.ozlabs.org/patch/1189139/
      
      Fixes: 4bd2c03b ("net: hns: remove ndo_poll_controller")
      Cc: lipeng <lipeng321@huawei.com>
      Cc: Yisen Zhuang <yisen.zhuang@huawei.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: David S. Miller <davem@davemloft.net>
      Reported-by: NMarc Zyngier <maz@kernel.org>
      Acked-by: NMarc Zyngier <maz@kernel.org>
      Tested-by: NMarc Zyngier <maz@kernel.org>
      Signed-off-by: NSalil Mehta <salil.mehta@huawei.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      107451b8
    • E
      ipv6: fixes rt6_probe() and fib6_nh->last_probe init · 26e398dc
      Eric Dumazet 提交于
      [ Upstream commit 1bef4c223b8588cf50433bdc2c6953d82949b3b3 ]
      
      While looking at a syzbot KCSAN report [1], I found multiple
      issues in this code :
      
      1) fib6_nh->last_probe has an initial value of 0.
      
         While probably okay on 64bit kernels, this causes an issue
         on 32bit kernels since the time_after(jiffies, 0 + interval)
         might be false ~24 days after boot (for HZ=1000)
      
      2) The data-race found by KCSAN
         I could use READ_ONCE() and WRITE_ONCE(), but we also can
         take the opportunity of not piling-up too many rt6_probe_deferred()
         works by using instead cmpxchg() so that only one cpu wins the race.
      
      [1]
      BUG: KCSAN: data-race in find_match / find_match
      
      write to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 1:
       rt6_probe net/ipv6/route.c:663 [inline]
       find_match net/ipv6/route.c:757 [inline]
       find_match+0x5bd/0x790 net/ipv6/route.c:733
       __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831
       find_rr_leaf net/ipv6/route.c:852 [inline]
       rt6_select net/ipv6/route.c:896 [inline]
       fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164
       ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200
       ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452
       fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117
       ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484
       ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497
       ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049
       ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150
       inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106
       inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121
       __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
       tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
       tcp_xmit_probe_skb+0x19b/0x1d0 net/ipv4/tcp_output.c:3735
      
      read to 0xffff8880bb7aabe8 of 8 bytes by interrupt on cpu 0:
       rt6_probe net/ipv6/route.c:657 [inline]
       find_match net/ipv6/route.c:757 [inline]
       find_match+0x521/0x790 net/ipv6/route.c:733
       __find_rr_leaf+0xe3/0x780 net/ipv6/route.c:831
       find_rr_leaf net/ipv6/route.c:852 [inline]
       rt6_select net/ipv6/route.c:896 [inline]
       fib6_table_lookup+0x383/0x650 net/ipv6/route.c:2164
       ip6_pol_route+0xee/0x5c0 net/ipv6/route.c:2200
       ip6_pol_route_output+0x48/0x60 net/ipv6/route.c:2452
       fib6_rule_lookup+0x3d6/0x470 net/ipv6/fib6_rules.c:117
       ip6_route_output_flags_noref+0x16b/0x230 net/ipv6/route.c:2484
       ip6_route_output_flags+0x50/0x1a0 net/ipv6/route.c:2497
       ip6_dst_lookup_tail+0x25d/0xc30 net/ipv6/ip6_output.c:1049
       ip6_dst_lookup_flow+0x68/0x120 net/ipv6/ip6_output.c:1150
       inet6_csk_route_socket+0x2f7/0x420 net/ipv6/inet6_connection_sock.c:106
       inet6_csk_xmit+0x91/0x1f0 net/ipv6/inet6_connection_sock.c:121
       __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 18894 Comm: udevd Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      
      Fixes: cc3a86c802f0 ("ipv6: Change rt6_probe to take a fib6_nh")
      Fixes: f547fac6 ("ipv6: rate-limit probes for neighbourless routes")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Reviewed-by: NDavid Ahern <dsahern@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      26e398dc
    • C
      net: mscc: ocelot: fix NULL pointer on LAG slave removal · 05b76142
      Claudiu Manoil 提交于
      [ Upstream commit 3b3eed8eec47259939ee6c3d58aea1c311ddee3b ]
      
      lag_upper_info may be NULL on slave removal.
      
      Fixes: dc96ee37 ("net: mscc: ocelot: add bonding support")
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      05b76142
    • C
      net: mscc: ocelot: don't handle netdev events for other netdevs · 1cfc967e
      Claudiu Manoil 提交于
      [ Upstream commit 7afb3e575e5aa9f5a200a3eb3f45d8130f6d6601 ]
      
      The check that the event is actually for this device should be moved
      from the "port" handler to the net device handler.
      
      Otherwise the port handler will deny bonding configuration for other
      net devices in the same system (like enetc in the LS1028A) that don't
      have the lag_upper_info->tx_type restriction that ocelot has.
      
      Fixes: dc96ee37 ("net: mscc: ocelot: add bonding support")
      Signed-off-by: NClaudiu Manoil <claudiu.manoil@nxp.com>
      Signed-off-by: NVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1cfc967e
    • M
      qede: fix NULL pointer deref in __qede_remove() · a6fdbaee
      Manish Chopra 提交于
      [ Upstream commit deabc87111c690097c03765ea017cd500f7376fc ]
      
      While rebooting the system with SR-IOV vfs enabled leads
      to below crash due to recurrence of __qede_remove() on the VF
      devices (first from .shutdown() flow of the VF itself and
      another from PF's .shutdown() flow executing pci_disable_sriov())
      
      This patch adds a safeguard in __qede_remove() flow to fix this,
      so that driver doesn't attempt to remove "already removed" devices.
      
      [  194.360134] BUG: unable to handle kernel NULL pointer dereference at 00000000000008dc
      [  194.360227] IP: [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
      [  194.360304] PGD 0
      [  194.360325] Oops: 0000 [#1] SMP
      [  194.360360] Modules linked in: tcp_lp fuse tun bridge stp llc devlink bonding ip_set nfnetlink ib_isert iscsi_target_mod ib_srpt target_core_mod ib_srp scsi_transport_srp scsi_tgt ib_ipoib ib_umad rpcrdma sunrpc rdma_ucm ib_uverbs ib_iser rdma_cm iw_cm ib_cm libiscsi scsi_transport_iscsi dell_smbios iTCO_wdt iTCO_vendor_support dell_wmi_descriptor dcdbas vfat fat pcc_cpufreq skx_edac intel_powerclamp coretemp intel_rapl iosf_mbi kvm_intel kvm irqbypass crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd qedr ib_core pcspkr ses enclosure joydev ipmi_ssif sg i2c_i801 lpc_ich mei_me mei wmi ipmi_si ipmi_devintf ipmi_msghandler tpm_crb acpi_pad acpi_power_meter xfs libcrc32c sd_mod crc_t10dif crct10dif_generic crct10dif_pclmul crct10dif_common crc32c_intel mgag200
      [  194.361044]  qede i2c_algo_bit drm_kms_helper qed syscopyarea sysfillrect nvme sysimgblt fb_sys_fops ttm nvme_core mpt3sas crc8 ptp drm pps_core ahci raid_class scsi_transport_sas libahci libata drm_panel_orientation_quirks nfit libnvdimm dm_mirror dm_region_hash dm_log dm_mod [last unloaded: ip_tables]
      [  194.361297] CPU: 51 PID: 7996 Comm: reboot Kdump: loaded Not tainted 3.10.0-1062.el7.x86_64 #1
      [  194.361359] Hardware name: Dell Inc. PowerEdge MX840c/0740HW, BIOS 2.4.6 10/15/2019
      [  194.361412] task: ffff9cea9b360000 ti: ffff9ceabebdc000 task.ti: ffff9ceabebdc000
      [  194.361463] RIP: 0010:[<ffffffffc03553c4>]  [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
      [  194.361534] RSP: 0018:ffff9ceabebdfac0  EFLAGS: 00010282
      [  194.361570] RAX: 0000000000000000 RBX: ffff9cd013846098 RCX: 0000000000000000
      [  194.361621] RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff9cd013846098
      [  194.361668] RBP: ffff9ceabebdfae8 R08: 0000000000000000 R09: 0000000000000000
      [  194.361715] R10: 00000000bfe14201 R11: ffff9ceabfe141e0 R12: 0000000000000000
      [  194.361762] R13: ffff9cd013846098 R14: 0000000000000000 R15: ffff9ceab5e48000
      [  194.361810] FS:  00007f799c02d880(0000) GS:ffff9ceacb0c0000(0000) knlGS:0000000000000000
      [  194.361865] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  194.361903] CR2: 00000000000008dc CR3: 0000001bdac76000 CR4: 00000000007607e0
      [  194.361953] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [  194.362002] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      [  194.362051] PKRU: 55555554
      [  194.362073] Call Trace:
      [  194.362109]  [<ffffffffc0355500>] qede_remove+0x10/0x20 [qede]
      [  194.362180]  [<ffffffffb97d0f3e>] pci_device_remove+0x3e/0xc0
      [  194.362240]  [<ffffffffb98b3c52>] __device_release_driver+0x82/0xf0
      [  194.362285]  [<ffffffffb98b3ce3>] device_release_driver+0x23/0x30
      [  194.362343]  [<ffffffffb97c86d4>] pci_stop_bus_device+0x84/0xa0
      [  194.362388]  [<ffffffffb97c87e2>] pci_stop_and_remove_bus_device+0x12/0x20
      [  194.362450]  [<ffffffffb97f153f>] pci_iov_remove_virtfn+0xaf/0x160
      [  194.362496]  [<ffffffffb97f1aec>] sriov_disable+0x3c/0xf0
      [  194.362534]  [<ffffffffb97f1bc3>] pci_disable_sriov+0x23/0x30
      [  194.362599]  [<ffffffffc02f83c3>] qed_sriov_disable+0x5e3/0x650 [qed]
      [  194.362658]  [<ffffffffb9622df6>] ? kfree+0x106/0x140
      [  194.362709]  [<ffffffffc02cc0c0>] ? qed_free_stream_mem+0x70/0x90 [qed]
      [  194.362754]  [<ffffffffb9622df6>] ? kfree+0x106/0x140
      [  194.362803]  [<ffffffffc02cd659>] qed_slowpath_stop+0x1a9/0x1d0 [qed]
      [  194.362854]  [<ffffffffc035544e>] __qede_remove+0xae/0x130 [qede]
      [  194.362904]  [<ffffffffc03554e0>] qede_shutdown+0x10/0x20 [qede]
      [  194.362956]  [<ffffffffb97cf90a>] pci_device_shutdown+0x3a/0x60
      [  194.363010]  [<ffffffffb98b180b>] device_shutdown+0xfb/0x1f0
      [  194.363066]  [<ffffffffb94b66c6>] kernel_restart_prepare+0x36/0x40
      [  194.363107]  [<ffffffffb94b66e2>] kernel_restart+0x12/0x60
      [  194.363146]  [<ffffffffb94b6959>] SYSC_reboot+0x229/0x260
      [  194.363196]  [<ffffffffb95f200d>] ? handle_mm_fault+0x39d/0x9b0
      [  194.363253]  [<ffffffffb942b621>] ? __switch_to+0x151/0x580
      [  194.363304]  [<ffffffffb9b7ec28>] ? __schedule+0x448/0x9c0
      [  194.363343]  [<ffffffffb94b69fe>] SyS_reboot+0xe/0x10
      [  194.363387]  [<ffffffffb9b8bede>] system_call_fastpath+0x25/0x2a
      [  194.363430] Code: f9 e9 37 ff ff ff 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 55 4c 8d af 98 00 00 00 41 54 4c 89 ef 41 89 f4 53 e8 4c e4 55 f9 <80> b8 dc 08 00 00 01 48 89 c3 4c 8d b8 c0 08 00 00 4c 8b b0 c0
      [  194.363712] RIP  [<ffffffffc03553c4>] __qede_remove+0x24/0x130 [qede]
      [  194.363764]  RSP <ffff9ceabebdfac0>
      [  194.363791] CR2: 00000000000008dc
      Signed-off-by: NManish Chopra <manishc@marvell.com>
      Signed-off-by: NAriel Elior <aelior@marvell.com>
      Signed-off-by: NSudarsana Kalluru <skalluru@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6fdbaee
    • P
      NFC: st21nfca: fix double free · 956b3885
      Pan Bian 提交于
      [ Upstream commit 99a8efbb6e30b72ac98cecf81103f847abffb1e5 ]
      
      The variable nfcid_skb is not changed in the callee nfc_hci_get_param()
      if error occurs. Consequently, the freed variable nfcid_skb will be
      freed again, resulting in a double free bug. Set nfcid_skb to NULL after
      releasing it to fix the bug.
      Signed-off-by: NPan Bian <bianpan2016@163.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      956b3885
    • P
      nfc: netlink: fix double device reference drop · 1143496c
      Pan Bian 提交于
      [ Upstream commit 025ec40b81d785a98f76b8bdb509ac10773b4f12 ]
      
      The function nfc_put_device(dev) is called twice to drop the reference
      to dev when there is no associated local llcp. Remove one of them to fix
      the bug.
      
      Fixes: 52feb444 ("NFC: Extend netlink interface for LTO, RW, and MIUX parameters support")
      Fixes: d9b8d8e1 ("NFC: llcp: Service Name Lookup netlink interface")
      Signed-off-by: NPan Bian <bianpan2016@163.com>
      Reviewed-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1143496c
    • P
      NFC: fdp: fix incorrect free object · 760a1f7f
      Pan Bian 提交于
      [ Upstream commit 517ce4e93368938b204451285e53014549804868 ]
      
      The address of fw_vsc_cfg is on stack. Releasing it with devm_kfree() is
      incorrect, which may result in a system crash or other security impacts.
      The expected object to free is *fw_vsc_cfg.
      Signed-off-by: NPan Bian <bianpan2016@163.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      760a1f7f
    • A
      net: usb: qmi_wwan: add support for DW5821e with eSIM support · 5580091c
      Aleksander Morgado 提交于
      [ Upstream commit e497df686e8fed8c1dd69179010656362858edb3 ]
      
      Exactly same layout as the default DW5821e module, just a different
      vid/pid.
      
      The QMI interface is exposed in USB configuration #1:
      
      P:  Vendor=413c ProdID=81e0 Rev=03.18
      S:  Manufacturer=Dell Inc.
      S:  Product=DW5821e-eSIM Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      Signed-off-by: NAleksander Morgado <aleksander@aleksander.es>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5580091c
    • S
      net: qualcomm: rmnet: Fix potential UAF when unregistering · 4fd21807
      Sean Tranchetti 提交于
      [ Upstream commit e7a86c687e64ab24f88330ad24ecc9442ce40c5a ]
      
      During the exit/unregistration process of the RmNet driver, the function
      rmnet_unregister_real_device() is called to handle freeing the driver's
      internal state and removing the RX handler on the underlying physical
      device. However, the order of operations this function performs is wrong
      and can lead to a use after free of the rmnet_port structure.
      
      Before calling netdev_rx_handler_unregister(), this port structure is
      freed with kfree(). If packets are received on any RmNet devices before
      synchronize_net() completes, they will attempt to use this already-freed
      port structure when processing the packet. As such, before cleaning up any
      other internal state, the RX handler must be unregistered in order to
      guarantee that no further packets will arrive on the device.
      
      Fixes: ceed73a2 ("drivers: net: ethernet: qualcomm: rmnet: Initial implementation")
      Signed-off-by: NSean Tranchetti <stranche@codeaurora.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fd21807
    • E
      net: fix data-race in neigh_event_send() · b9bda52f
      Eric Dumazet 提交于
      [ Upstream commit 1b53d64435d56902fc234ff2507142d971a09687 ]
      
      KCSAN reported the following data-race [1]
      
      The fix will also prevent the compiler from optimizing out
      the condition.
      
      [1]
      
      BUG: KCSAN: data-race in neigh_resolve_output / neigh_resolve_output
      
      write to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 1:
       neigh_event_send include/net/neighbour.h:443 [inline]
       neigh_resolve_output+0x78/0x480 net/core/neighbour.c:1474
       neigh_output include/net/neighbour.h:511 [inline]
       ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
       __ip_finish_output net/ipv4/ip_output.c:308 [inline]
       __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
       ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
       dst_output include/net/dst.h:436 [inline]
       ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
       __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
       ip_queue_xmit+0x45/0x60 include/net/ip.h:237
       __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
       tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
       __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
       tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
       tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
       tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
       tcp_write_timer+0xd1/0xf0 net/ipv4/tcp_timer.c:618
      
      read to 0xffff8880a41dba78 of 8 bytes by interrupt on cpu 0:
       neigh_event_send include/net/neighbour.h:442 [inline]
       neigh_resolve_output+0x57/0x480 net/core/neighbour.c:1474
       neigh_output include/net/neighbour.h:511 [inline]
       ip_finish_output2+0x4af/0xe40 net/ipv4/ip_output.c:228
       __ip_finish_output net/ipv4/ip_output.c:308 [inline]
       __ip_finish_output+0x23a/0x490 net/ipv4/ip_output.c:290
       ip_finish_output+0x41/0x160 net/ipv4/ip_output.c:318
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip_output+0xdf/0x210 net/ipv4/ip_output.c:432
       dst_output include/net/dst.h:436 [inline]
       ip_local_out+0x74/0x90 net/ipv4/ip_output.c:125
       __ip_queue_xmit+0x3a8/0xa40 net/ipv4/ip_output.c:532
       ip_queue_xmit+0x45/0x60 include/net/ip.h:237
       __tcp_transmit_skb+0xe81/0x1d60 net/ipv4/tcp_output.c:1169
       tcp_transmit_skb net/ipv4/tcp_output.c:1185 [inline]
       __tcp_retransmit_skb+0x4bd/0x15f0 net/ipv4/tcp_output.c:2976
       tcp_retransmit_skb+0x36/0x1a0 net/ipv4/tcp_output.c:2999
       tcp_retransmit_timer+0x719/0x16d0 net/ipv4/tcp_timer.c:515
       tcp_write_timer_handler+0x42d/0x510 net/ipv4/tcp_timer.c:598
      
      Reported by Kernel Concurrency Sanitizer on:
      CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.4.0-rc3+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b9bda52f
    • A
      net: ethernet: octeon_mgmt: Account for second possible VLAN header · 2fbfdb2d
      Alexander Sverdlin 提交于
      [ Upstream commit e4dd5608033efe7b6030cde359bfdbaeb73bc22d ]
      
      Octeon's input ring-buffer entry has 14 bits-wide size field, so to account
      for second possible VLAN header max_mtu must be further reduced.
      
      Fixes: 109cc165 ("ethernet/cavium: use core min/max MTU checking")
      Signed-off-by: NAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fbfdb2d
    • D
      ipv4: Fix table id reference in fib_sync_down_addr · 88f8c399
      David Ahern 提交于
      [ Upstream commit e0a312629fefa943534fc46f7bfbe6de3fdaf463 ]
      
      Hendrik reported routes in the main table using source address are not
      removed when the address is removed. The problem is that fib_sync_down_addr
      does not account for devices in the default VRF which are associated
      with the main table. Fix by updating the table id reference.
      
      Fixes: 5a56a0b3 ("net: Don't delete routes in different VRFs")
      Reported-by: NHendrik Donner <hd@os-cillation.de>
      Signed-off-by: NDavid Ahern <dsahern@kernel.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      88f8c399
    • O
      CDC-NCM: handle incomplete transfer of MTU · 0ddabef8
      Oliver Neukum 提交于
      [ Upstream commit 332f989a3b0041b810836c5c3747e59aad7e9d0b ]
      
      A malicious device may give half an answer when asked
      for its MTU. The driver will proceed after this with
      a garbage MTU. Anything but a complete answer must be treated
      as an error.
      
      V2: used sizeof as request by Alexander
      
      Reported-and-tested-by: syzbot+0631d878823ce2411636@syzkaller.appspotmail.com
      Signed-off-by: NOliver Neukum <oneukum@suse.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0ddabef8
    • J
      bonding: fix state transition issue in link monitoring · 27b5f4bf
      Jay Vosburgh 提交于
      [ Upstream commit 1899bb325149e481de31a4f32b59ea6f24e176ea ]
      
      Since de77ecd4 ("bonding: improve link-status update in
      mii-monitoring"), the bonding driver has utilized two separate variables
      to indicate the next link state a particular slave should transition to.
      Each is used to communicate to a different portion of the link state
      change commit logic; one to the bond_miimon_commit function itself, and
      another to the state transition logic.
      
      	Unfortunately, the two variables can become unsynchronized,
      resulting in incorrect link state transitions within bonding.  This can
      cause slaves to become stuck in an incorrect link state until a
      subsequent carrier state transition.
      
      	The issue occurs when a special case in bond_slave_netdev_event
      sets slave->link directly to BOND_LINK_FAIL.  On the next pass through
      bond_miimon_inspect after the slave goes carrier up, the BOND_LINK_FAIL
      case will set the proposed next state (link_new_state) to BOND_LINK_UP,
      but the new_link to BOND_LINK_DOWN.  The setting of the final link state
      from new_link comes after that from link_new_state, and so the slave
      will end up incorrectly in _DOWN state.
      
      	Resolve this by combining the two variables into one.
      Reported-by: NAleksei Zakharov <zakharov.a.g@yandex.ru>
      Reported-by: NSha Zhang <zhangsha.zhang@huawei.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Fixes: de77ecd4 ("bonding: improve link-status update in mii-monitoring")
      Signed-off-by: NJay Vosburgh <jay.vosburgh@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      27b5f4bf
  2. 10 11月, 2019 10 次提交