1. 23 1月, 2019 40 次提交
    • J
      loop: Fold __loop_release into loop_release · 38d9cce3
      Jan Kara 提交于
      commit 967d1dc144b50ad005e5eecdfadfbcfb399ffff6 upstream.
      
      __loop_release() has a single call site. Fold it there. This is
      currently not a huge win but it will make following replacement of
      loop_index_mutex more obvious.
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38d9cce3
    • T
      block/loop: Use global lock for ioctl() operation. · 342b3360
      Tetsuo Handa 提交于
      commit 310ca162d779efee8a2dc3731439680f3e9c1e86 upstream.
      
      syzbot is reporting NULL pointer dereference [1] which is caused by
      race condition between ioctl(loop_fd, LOOP_CLR_FD, 0) versus
      ioctl(other_loop_fd, LOOP_SET_FD, loop_fd) due to traversing other
      loop devices at loop_validate_file() without holding corresponding
      lo->lo_ctl_mutex locks.
      
      Since ioctl() request on loop devices is not frequent operation, we don't
      need fine grained locking. Let's use global lock in order to allow safe
      traversal at loop_validate_file().
      
      Note that syzbot is also reporting circular locking dependency between
      bdev->bd_mutex and lo->lo_ctl_mutex [2] which is caused by calling
      blkdev_reread_part() with lock held. This patch does not address it.
      
      [1] https://syzkaller.appspot.com/bug?id=f3cfe26e785d85f9ee259f385515291d21bd80a3
      [2] https://syzkaller.appspot.com/bug?id=bf154052f0eea4bc7712499e4569505907d15889Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: Nsyzbot <syzbot+bf89c128e05dd6c62523@syzkaller.appspotmail.com>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      342b3360
    • T
      block/loop: Don't grab "struct file" for vfs_getattr() operation. · f5d3c785
      Tetsuo Handa 提交于
      commit b1ab5fa309e6c49e4e06270ec67dd7b3e9971d04 upstream.
      
      vfs_getattr() needs "struct path" rather than "struct file".
      Let's use path_get()/path_put() rather than get_file()/fput().
      Signed-off-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reviewed-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5d3c785
    • Y
      tipc: fix uninit-value in tipc_nl_compat_doit · 21172412
      Ying Xue 提交于
      commit 2753ca5d9009c180dbfd4c802c80983b4b6108d1 upstream.
      
      BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
      CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
       tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153
       genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
       genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
       netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
       netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
       netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
       netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x43fda9
      RSP: 002b:00007ffd0c184ba8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9
      RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
      R10: 00000000004002c8 R11: 0000000000000213 R12: 00000000004016d0
      R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
       slab_post_alloc_hook mm/slab.h:445 [inline]
       slab_alloc_node mm/slub.c:2737 [inline]
       __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:984 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
       netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
       sock_sendmsg_nosec net/socket.c:630 [inline]
       sock_sendmsg net/socket.c:640 [inline]
       ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
       __sys_sendmsg net/socket.c:2080 [inline]
       SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
       SyS_sendmsg+0x54/0x80 net/socket.c:2087
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      
      In tipc_nl_compat_recv(), when the len variable returned by
      nlmsg_attrlen() is 0, the message is still treated as a valid one,
      which is obviously unresonable. When len is zero, it means the
      message not only doesn't contain any valid TLV payload, but also
      TLV header is not included. Under this stituation, tlv_type field
      in TLV header is still accessed in tipc_nl_compat_dumpit() or
      tipc_nl_compat_doit(), but the field space is obviously illegal.
      Of course, it is not initialized.
      
      Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com
      Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      21172412
    • Y
      tipc: fix uninit-value in tipc_nl_compat_name_table_dump · 2d5fc1d4
      Ying Xue 提交于
      commit 974cb0e3e7c963ced06c4e32c5b2884173fa5e01 upstream.
      
      syzbot reported:
      
      BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
      BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
      BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
      CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x306/0x460 lib/dump_stack.c:113
       kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
       __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
       __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
       __fswab32 include/uapi/linux/swab.h:59 [inline]
       tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
       __tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205
       tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270
       tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline]
       tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007ffecec49318 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
      R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
       kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
       kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2727 [inline]
       __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:996 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
       netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      We cannot take for granted the thing that the length of data contained
      in TLV is longer than the size of struct tipc_name_table_query in
      tipc_nl_compat_name_table_dump().
      
      Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2d5fc1d4
    • Y
      tipc: fix uninit-value in tipc_nl_compat_link_set · 04d87429
      Ying Xue 提交于
      commit edf5ff04a45750ac8ce2435974f001dc9cfbf055 upstream.
      
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
      CPU: 1 PID: 9306 Comm: syz-executor172 Not tainted 4.20.0-rc7+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x173/0x1d0 lib/dump_stack.c:113
        kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
        __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
        strlen+0x3b/0xa0 lib/string.c:486
        nla_put_string include/net/netlink.h:1154 [inline]
        __tipc_nl_compat_link_set net/tipc/netlink_compat.c:708 [inline]
        tipc_nl_compat_link_set+0x929/0x1220 net/tipc/netlink_compat.c:744
        __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
        tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
        tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
        tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
        genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
        genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
        netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
        genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
        netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
        netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
        netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
        sock_sendmsg_nosec net/socket.c:621 [inline]
        sock_sendmsg net/socket.c:631 [inline]
        ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
        __sys_sendmsg net/socket.c:2154 [inline]
        __do_sys_sendmsg net/socket.c:2163 [inline]
        __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
        __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
        do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
        entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The uninitialised access happened in
          nla_put_string(skb, TIPC_NLA_LINK_NAME, lc->name)
      
      This is because lc->name string is not validated before it's used.
      
      Reported-by: syzbot+d78b8a29241a195aefb8@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      04d87429
    • Y
      tipc: fix uninit-value in tipc_nl_compat_bearer_enable · 7960fb71
      Ying Xue 提交于
      commit 0762216c0ad2a2fccd63890648eca491f2c83d9a upstream.
      
      syzbot reported:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484
      CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x306/0x460 lib/dump_stack.c:113
       kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
       __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
       strlen+0x3b/0xa0 lib/string.c:484
       nla_put_string include/net/netlink.h:1011 [inline]
       tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389
       __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
       tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344
       tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
       netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
       netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x440179
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
      RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
      RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
      R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
      R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
       kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
       kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
       kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2727 [inline]
       __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:996 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
       netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The root cause is that we don't validate whether bear name is a valid
      string in tipc_nl_compat_bearer_enable().
      
      Meanwhile, we also fix the same issue in the following functions:
      tipc_nl_compat_bearer_disable()
      tipc_nl_compat_link_stat_dump()
      tipc_nl_compat_media_set()
      tipc_nl_compat_bearer_set()
      
      Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7960fb71
    • Y
      tipc: fix uninit-value in tipc_nl_compat_link_reset_stats · 1d61caf0
      Ying Xue 提交于
      commit 8b66fee7f8ee18f9c51260e7a43ab37db5177a05 upstream.
      
      syzbot reports following splat:
      
      BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
      CPU: 1 PID: 11057 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #2
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x173/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
       __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
       strlen+0x3b/0xa0 lib/string.c:486
       nla_put_string include/net/netlink.h:1154 [inline]
       tipc_nl_compat_link_reset_stats+0x1f0/0x360 net/tipc/netlink_compat.c:760
       __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
       tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
       tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
       tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
       genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
       genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
       netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
       genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x457ec9
      Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f2557338c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
      RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f25573396d4
      R13: 00000000004cb478 R14: 00000000004d86c8 R15: 00000000ffffffff
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
       kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
       kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
       kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
       slab_post_alloc_hook mm/slab.h:446 [inline]
       slab_alloc_node mm/slub.c:2759 [inline]
       __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
       __kmalloc_reserve net/core/skbuff.c:137 [inline]
       __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
       alloc_skb include/linux/skbuff.h:998 [inline]
       netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
       netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      The uninitialised access happened in tipc_nl_compat_link_reset_stats:
          nla_put_string(skb, TIPC_NLA_LINK_NAME, name)
      
      This is because name string is not validated before it's used.
      
      Reported-by: syzbot+e01d94b5a4c266be6e4c@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d61caf0
    • Y
      tipc: fix uninit-value in in tipc_conn_rcv_sub · 92773336
      Ying Xue 提交于
      commit a88289f4ddee4165d5f796bd99e09eec3133c16b upstream.
      
      syzbot reported:
      
      BUG: KMSAN: uninit-value in tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
      CPU: 0 PID: 66 Comm: kworker/u4:4 Not tainted 4.17.0-rc3+ #88
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: tipc_rcv tipc_conn_recv_work
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:113
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       tipc_conn_rcv_sub+0x184/0x950 net/tipc/topsrv.c:373
       tipc_conn_rcv_from_sock net/tipc/topsrv.c:409 [inline]
       tipc_conn_recv_work+0x3cd/0x560 net/tipc/topsrv.c:424
       process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
       worker_thread+0x113c/0x24f0 kernel/workqueue.c:2279
       kthread+0x539/0x720 kernel/kthread.c:239
       ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:412
      
      Local variable description: ----s.i@tipc_conn_recv_work
      Variable was created at:
       tipc_conn_recv_work+0x65/0x560 net/tipc/topsrv.c:419
       process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2145
      
      In tipc_conn_rcv_from_sock(), it always supposes the length of message
      received from sock_recvmsg() is not smaller than the size of struct
      tipc_subscr. However, this assumption is false. Especially when the
      length of received message is shorter than struct tipc_subscr size,
      we will end up touching uninitialized fields in tipc_conn_rcv_sub().
      
      Reported-by: syzbot+8951a3065ee7fd6d6e23@syzkaller.appspotmail.com
      Reported-by: syzbot+75e6e042c5bbf691fc82@syzkaller.appspotmail.com
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      92773336
    • X
      sctp: allocate sctp_sockaddr_entry with kzalloc · 7f902f7c
      Xin Long 提交于
      commit 400b8b9a2a17918f8ce00786f596f530e7f30d50 upstream.
      
      The similar issue as fixed in Commit 4a2eb0c37b47 ("sctp: initialize
      sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
      in sctp_inetaddr_event, as Alexander noticed.
      
      To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
      ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().
      Reported-by: NAlexander Potapenko <glider@google.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7f902f7c
    • J
      blockdev: Fix livelocks on loop device · 1e11b1d6
      Jan Kara 提交于
      commit 04906b2f542c23626b0ef6219b808406f8dddbe9 upstream.
      
      bd_set_size() updates also block device's block size. This is somewhat
      unexpected from its name and at this point, only blkdev_open() uses this
      functionality. Furthermore, this can result in changing block size under
      a filesystem mounted on a loop device which leads to livelocks inside
      __getblk_gfp() like:
      
      Sending NMI from CPU 0 to CPUs 1:
      NMI backtrace for cpu 1
      CPU: 1 PID: 10863 Comm: syz-executor0 Not tainted 4.18.0-rc5+ #151
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
      01/01/2011
      RIP: 0010:__sanitizer_cov_trace_pc+0x3f/0x50 kernel/kcov.c:106
      ...
      Call Trace:
       init_page_buffers+0x3e2/0x530 fs/buffer.c:904
       grow_dev_page fs/buffer.c:947 [inline]
       grow_buffers fs/buffer.c:1009 [inline]
       __getblk_slow fs/buffer.c:1036 [inline]
       __getblk_gfp+0x906/0xb10 fs/buffer.c:1313
       __bread_gfp+0x2d/0x310 fs/buffer.c:1347
       sb_bread include/linux/buffer_head.h:307 [inline]
       fat12_ent_bread+0x14e/0x3d0 fs/fat/fatent.c:75
       fat_ent_read_block fs/fat/fatent.c:441 [inline]
       fat_alloc_clusters+0x8ce/0x16e0 fs/fat/fatent.c:489
       fat_add_cluster+0x7a/0x150 fs/fat/inode.c:101
       __fat_get_block fs/fat/inode.c:148 [inline]
      ...
      
      Trivial reproducer for the problem looks like:
      
      truncate -s 1G /tmp/image
      losetup /dev/loop0 /tmp/image
      mkfs.ext4 -b 1024 /dev/loop0
      mount -t ext4 /dev/loop0 /mnt
      losetup -c /dev/loop0
      l /mnt
      
      Fix the problem by moving initialization of a block device block size
      into a separate function and call it when needed.
      
      Thanks to Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> for help with
      debugging the problem.
      
      Reported-by: syzbot+9933e4476f365f5d5a1b@syzkaller.appspotmail.com
      Signed-off-by: NJan Kara <jack@suse.cz>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e11b1d6
    • S
      selinux: fix GPF on invalid policy · 5a79e71e
      Stephen Smalley 提交于
      commit 5b0e7310a2a33c06edc7eb81ffc521af9b2c5610 upstream.
      
      levdatum->level can be NULL if we encounter an error while loading
      the policy during sens_read prior to initializing it.  Make sure
      sens_destroy handles that case correctly.
      
      Reported-by: syzbot+6664500f0f18f07a5c0e@syzkaller.appspotmail.com
      Signed-off-by: NStephen Smalley <sds@tycho.nsa.gov>
      Signed-off-by: NPaul Moore <paul@paul-moore.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5a79e71e
    • Y
      block: use rcu_work instead of call_rcu to avoid sleep in softirq · 4cc66cc4
      Yufen Yu 提交于
      commit 94a2c3a32b62e868dc1e3d854326745a7f1b8c7a upstream.
      
      We recently got a stack by syzkaller like this:
      
      BUG: sleeping function called from invalid context at mm/slab.h:361
      in_atomic(): 1, irqs_disabled(): 0, pid: 6644, name: blkid
      INFO: lockdep is turned off.
      CPU: 1 PID: 6644 Comm: blkid Not tainted 4.4.163-514.55.6.9.x86_64+ #76
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
       0000000000000000 5ba6a6b879e50c00 ffff8801f6b07b10 ffffffff81cb2194
       0000000041b58ab3 ffffffff833c7745 ffffffff81cb2080 5ba6a6b879e50c00
       0000000000000000 0000000000000001 0000000000000004 0000000000000000
      Call Trace:
       <IRQ>  [<ffffffff81cb2194>] __dump_stack lib/dump_stack.c:15 [inline]
       <IRQ>  [<ffffffff81cb2194>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
       [<ffffffff8129a981>] ___might_sleep+0x291/0x490 kernel/sched/core.c:7675
       [<ffffffff8129ac33>] __might_sleep+0xb3/0x270 kernel/sched/core.c:7637
       [<ffffffff81794c13>] slab_pre_alloc_hook mm/slab.h:361 [inline]
       [<ffffffff81794c13>] slab_alloc_node mm/slub.c:2610 [inline]
       [<ffffffff81794c13>] slab_alloc mm/slub.c:2692 [inline]
       [<ffffffff81794c13>] kmem_cache_alloc_trace+0x2c3/0x5c0 mm/slub.c:2709
       [<ffffffff81cbe9a7>] kmalloc include/linux/slab.h:479 [inline]
       [<ffffffff81cbe9a7>] kzalloc include/linux/slab.h:623 [inline]
       [<ffffffff81cbe9a7>] kobject_uevent_env+0x2c7/0x1150 lib/kobject_uevent.c:227
       [<ffffffff81cbf84f>] kobject_uevent+0x1f/0x30 lib/kobject_uevent.c:374
       [<ffffffff81cbb5b9>] kobject_cleanup lib/kobject.c:633 [inline]
       [<ffffffff81cbb5b9>] kobject_release+0x229/0x440 lib/kobject.c:675
       [<ffffffff81cbb0a2>] kref_sub include/linux/kref.h:73 [inline]
       [<ffffffff81cbb0a2>] kref_put include/linux/kref.h:98 [inline]
       [<ffffffff81cbb0a2>] kobject_put+0x72/0xd0 lib/kobject.c:692
       [<ffffffff8216f095>] put_device+0x25/0x30 drivers/base/core.c:1237
       [<ffffffff81c4cc34>] delete_partition_rcu_cb+0x1d4/0x2f0 block/partition-generic.c:232
       [<ffffffff813c08bc>] __rcu_reclaim kernel/rcu/rcu.h:118 [inline]
       [<ffffffff813c08bc>] rcu_do_batch kernel/rcu/tree.c:2705 [inline]
       [<ffffffff813c08bc>] invoke_rcu_callbacks kernel/rcu/tree.c:2973 [inline]
       [<ffffffff813c08bc>] __rcu_process_callbacks kernel/rcu/tree.c:2940 [inline]
       [<ffffffff813c08bc>] rcu_process_callbacks+0x59c/0x1c70 kernel/rcu/tree.c:2957
       [<ffffffff8120f509>] __do_softirq+0x299/0xe20 kernel/softirq.c:273
       [<ffffffff81210496>] invoke_softirq kernel/softirq.c:350 [inline]
       [<ffffffff81210496>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
       [<ffffffff82c2cd7b>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
       [<ffffffff82c2cd7b>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
       [<ffffffff82c2bc25>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:746
       <EOI>  [<ffffffff814cbf40>] ? audit_kill_trees+0x180/0x180
       [<ffffffff8187d2f7>] fd_install+0x57/0x80 fs/file.c:626
       [<ffffffff8180989e>] do_sys_open+0x45e/0x550 fs/open.c:1043
       [<ffffffff818099c2>] SYSC_open fs/open.c:1055 [inline]
       [<ffffffff818099c2>] SyS_open+0x32/0x40 fs/open.c:1050
       [<ffffffff82c299e1>] entry_SYSCALL_64_fastpath+0x1e/0x9a
      
      In softirq context, we call rcu callback function delete_partition_rcu_cb(),
      which may allocate memory by kzalloc with GFP_KERNEL flag. If the
      allocation cannot be satisfied, it may sleep. However, That is not allowed
      in softirq contex.
      
      Although we found this problem on linux 4.4, the latest kernel version
      seems to have this problem as well. And it is very similar to the
      previous one:
      	https://lkml.org/lkml/2018/7/9/391
      
      Fix it by using RCU workqueue, which allows sleep.
      Reviewed-by: NPaul E. McKenney <paulmck@linux.ibm.com>
      Signed-off-by: NYufen Yu <yuyufen@huawei.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4cc66cc4
    • S
      netfilter: ebtables: account ebt_table_info to kmemcg · 2663bcba
      Shakeel Butt 提交于
      commit e2c8d550a973bb34fc28bc8d0ec996f84562fb8a upstream.
      
      The [ip,ip6,arp]_tables use x_tables_info internally and the underlying
      memory is already accounted to kmemcg. Do the same for ebtables. The
      syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the
      whole system from a restricted memcg, a potential DoS.
      
      By accounting the ebt_table_info, the memory used for ebt_table_info can
      be contained within the memcg of the allocating process. However the
      lifetime of ebt_table_info is independent of the allocating process and
      is tied to the network namespace. So, the oom-killer will not be able to
      relieve the memory pressure due to ebt_table_info memory. The memory for
      ebt_table_info is allocated through vmalloc. Currently vmalloc does not
      handle the oom-killed allocating process correctly and one large
      allocation can bypass memcg limit enforcement. So, with this patch,
      at least the small allocations will be contained. For large allocations,
      we need to fix vmalloc.
      
      Reported-by: syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com
      Signed-off-by: NShakeel Butt <shakeelb@google.com>
      Reviewed-by: NKirill Tkhai <ktkhai@virtuozzo.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2663bcba
    • J
      sunrpc: handle ENOMEM in rpcb_getport_async · 61b29bed
      J. Bruce Fields 提交于
      commit 81c88b18de1f11f70c97f28ced8d642c00bb3955 upstream.
      
      If we ignore the error we'll hit a null dereference a little later.
      
      Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      Signed-off-by: NAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      61b29bed
    • H
      media: vb2: vb2_mmap: move lock up · c4f39cba
      Hans Verkuil 提交于
      commit cd26d1c4d1bc947b56ae404998ae2276df7b39b7 upstream.
      
      If a filehandle is dup()ped, then it is possible to close it from one fd
      and call mmap from the other. This creates a race condition in vb2_mmap
      where it is using queue data that __vb2_queue_free (called from close())
      is in the process of releasing.
      
      By moving up the mutex_lock(mmap_lock) in vb2_mmap this race is avoided
      since __vb2_queue_free is called with the same mutex locked. So vb2_mmap
      now reads consistent buffer data.
      Signed-off-by: NHans Verkuil <hverkuil@xs4all.nl>
      Reported-by: syzbot+be93025dd45dccd8923c@syzkaller.appspotmail.com
      Signed-off-by: NHans Verkuil <hansverk@cisco.com>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c4f39cba
    • J
      LSM: Check for NULL cred-security on free · a19aedf1
      James Morris 提交于
      commit a5795fd38ee8194451ba3f281f075301a3696ce2 upstream.
      
      From: Casey Schaufler <casey@schaufler-ca.com>
      
      Check that the cred security blob has been set before trying
      to clean it up. There is a case during credential initialization
      that could result in this.
      Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
      Acked-by: NJohn Johansen <john.johansen@canonical.com>
      Signed-off-by: NJames Morris <james.morris@microsoft.com>
      Reported-by: syzbot+69ca07954461f189e808@syzkaller.appspotmail.com
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a19aedf1
    • E
      ipv6: make icmp6_send() robust against null skb->dev · a72e572f
      Eric Dumazet 提交于
      commit 8d933670452107e41165bea70a30dffbd281bef1 upstream.
      
      syzbot was able to crash one host with the following stack trace :
      
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 8625 Comm: syz-executor4 Not tainted 4.20.0+ #8
      RIP: 0010:dev_net include/linux/netdevice.h:2169 [inline]
      RIP: 0010:icmp6_send+0x116/0x2d30 net/ipv6/icmp.c:426
       icmpv6_send
       smack_socket_sock_rcv_skb
       security_sock_rcv_skb
       sk_filter_trim_cap
       __sk_receive_skb
       dccp_v6_do_rcv
       release_sock
      
      This is because a RX packet found socket owned by user and
      was stored into socket backlog. Before leaving RCU protected section,
      skb->dev was cleared in __sk_receive_skb(). When socket backlog
      was finally handled at release_sock() time, skb was fed to
      smack_socket_sock_rcv_skb() then icmp6_send()
      
      We could fix the bug in smack_socket_sock_rcv_skb(), or simply
      make icmp6_send() more robust against such possibility.
      
      In the future we might provide to icmp6_send() the net pointer
      instead of infering it.
      
      Fixes: d66a8acb ("Smack: Inform peer that IPv6 traffic has been blocked")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: Piotr Sawicki <p.sawicki2@partner.samsung.com>
      Cc: Casey Schaufler <casey@schaufler-ca.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Acked-by: NCasey Schaufler <casey@schaufler-ca.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a72e572f
    • W
      bpf: in __bpf_redirect_no_mac pull mac only if present · 341906cb
      Willem de Bruijn 提交于
      commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 upstream.
      
      Syzkaller was able to construct a packet of negative length by
      redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:
      
          BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
          BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942
      
          kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
          check_memory_region_inline mm/kasan/kasan.c:260 [inline]
          check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
          memcpy+0x23/0x50 mm/kasan/kasan.c:302
          memcpy include/linux/string.h:345 [inline]
          skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          __pskb_copy include/linux/skbuff.h:1053 [inline]
          pskb_copy include/linux/skbuff.h:2904 [inline]
          skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
          ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
          sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
          __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
          netdev_start_xmit include/linux/netdevice.h:4334 [inline]
          xmit_one net/core/dev.c:3219 [inline]
          dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
          __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
          dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
          __bpf_tx_skb net/core/filter.c:2016 [inline]
          __bpf_redirect_common net/core/filter.c:2054 [inline]
          __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
          ____bpf_clone_redirect net/core/filter.c:2094 [inline]
          bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
          bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000
      
      The generated test constructs a packet with mac header, network
      header, skb->data pointing to network header and skb->len 0.
      
      Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
      mac length, even though skb->data already is at skb->network_header.
      bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.
      
      Update the offset calculation to pull only if skb->data differs
      from skb->network_header, which is not true in this case.
      
      The test itself can be run only from commit 1cf1cae9 ("bpf:
      introduce BPF_PROG_TEST_RUN command"), but the same type of packets
      with skb at network header could already be built from lwt xmit hooks,
      so this fix is more relevant to that commit.
      
      Also set the mac header on redirect from LWT_XMIT, as even after this
      change to __bpf_redirect_no_mac that field is expected to be set, but
      is not yet in ip_finish_output2.
      
      Fixes: 3a0af8fd ("bpf: BPF for lightweight tunnel infrastructure")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      341906cb
    • H
      media: vivid: set min width/height to a value > 0 · d9c249a3
      Hans Verkuil 提交于
      commit 9729d6d282a6d7ce88e64c9119cecdf79edf4e88 upstream.
      
      The capture DV timings capabilities allowed for a minimum width and
      height of 0. So passing a timings struct with 0 values is allowed
      and will later cause a division by zero.
      
      Ensure that the width and height must be >= 16 to avoid this.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+57c3d83d71187054d56f@syzkaller.appspotmail.com
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d9c249a3
    • H
      media: vivid: fix error handling of kthread_run · 4497ce43
      Hans Verkuil 提交于
      commit 701f49bc028edb19ffccd101997dd84f0d71e279 upstream.
      
      kthread_run returns an error pointer, but elsewhere in the code
      dev->kthread_vid_cap/out is checked against NULL.
      
      If kthread_run returns an error, then set the pointer to NULL.
      
      I chose this method over changing all kthread_vid_cap/out tests
      elsewhere since this is more robust.
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Reported-by: syzbot+53d5b2df0d9744411e2e@syzkaller.appspotmail.com
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4497ce43
    • V
      omap2fb: Fix stack memory disclosure · 4190c5fd
      Vlad Tsyrklevich 提交于
      commit a01421e4484327fe44f8e126793ed5a48a221e24 upstream.
      
      Using [1] for static analysis I found that the OMAPFB_QUERY_PLANE,
      OMAPFB_GET_COLOR_KEY, OMAPFB_GET_DISPLAY_INFO, and OMAPFB_GET_VRAM_INFO
      cases could all leak uninitialized stack memory--either due to
      uninitialized padding or 'reserved' fields.
      
      Fix them by clearing the shared union used to store copied out data.
      
      [1] https://github.com/vlad902/kernel-uninitialized-memory-checkerSigned-off-by: NVlad Tsyrklevich <vlad@tsyrklevich.net>
      Reviewed-by: NKees Cook <keescook@chromium.org>
      Fixes: b39a982d ("OMAP: DSS2: omapfb driver")
      Cc: security@kernel.org
      [b.zolnierkie: prefix patch subject with "omap2fb: "]
      Signed-off-by: NBartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4190c5fd
    • F
      fix int_sqrt64() for very large numbers · 328f3de2
      Florian La Roche 提交于
      commit fbfaf851902cd9293f392f3a1735e0543016d530 upstream.
      
      If an input number x for int_sqrt64() has the highest bit set, then
      fls64(x) is 64.  (1UL << 64) is an overflow and breaks the algorithm.
      
      Subtracting 1 is a better guess for the initial value of m anyway and
      that's what also done in int_sqrt() implicitly [*].
      
      [*] Note how int_sqrt() uses __fls() with two underscores, which already
          returns the proper raw bit number.
      
          In contrast, int_sqrt64() used fls64(), and that returns bit numbers
          illogically starting at 1, because of error handling for the "no
          bits set" case. Will points out that he bug probably is due to a
          copy-and-paste error from the regular int_sqrt() case.
      Signed-off-by: NFlorian La Roche <Florian.LaRoche@googlemail.com>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      328f3de2
    • Y
      Disable MSI also when pcie-octeon.pcie_disable on · 89a9f049
      YunQiang Su 提交于
      commit a214720cbf50cd8c3f76bbb9c3f5c283910e9d33 upstream.
      
      Octeon has an boot-time option to disable pcie.
      
      Since MSI depends on PCI-E, we should also disable MSI also with
      this option is on in order to avoid inadvertently accessing PCIe
      registers.
      Signed-off-by: NYunQiang Su <ysu@wavecomp.com>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: pburton@wavecomp.com
      Cc: linux-mips@vger.kernel.org
      Cc: aaro.koskinen@iki.fi
      Cc: stable@vger.kernel.org # v3.3+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      89a9f049
    • H
      arm64: dts: marvell: armada-ap806: reserve PSCI area · 3832c115
      Heinrich Schuchardt 提交于
      commit 132ac39cffbcfed80ada38ef0fc6d34d95da7be6 upstream.
      
      The memory area [0x4000000-0x4200000[ is occupied by the PSCI firmware. Any
      attempt to access it from Linux leads to an immediate crash.
      
      So let's make the same memory reservation as the vendor kernel.
      
      [gregory: added as comment that this region matches the mainline U-boot]
      Signed-off-by: NHeinrich Schuchardt <xypron.glpk@gmx.de>
      Signed-off-by: NGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3832c115
    • A
      arm64: kaslr: ensure randomized quantities are clean to the PoC · ca8080c3
      Ard Biesheuvel 提交于
      commit 1598ecda7b239e9232dda032bfddeed9d89fab6c upstream.
      
      kaslr_early_init() is called with the kernel mapped at its
      link time offset, and if it returns with a non-zero offset,
      the kernel is unmapped and remapped again at the randomized
      offset.
      
      During its execution, kaslr_early_init() also randomizes the
      base of the module region and of the linear mapping of DRAM,
      and sets two variables accordingly. However, since these
      variables are assigned with the caches on, they may get lost
      during the cache maintenance that occurs when unmapping and
      remapping the kernel, so ensure that these values are cleaned
      to the PoC.
      Acked-by: NCatalin Marinas <catalin.marinas@arm.com>
      Fixes: f80fb3a3 ("arm64: add support for kernel ASLR")
      Cc: <stable@vger.kernel.org> # v4.6+
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ca8080c3
    • K
      pstore/ram: Avoid allocation and leak of platform data · 483ac8e6
      Kees Cook 提交于
      commit 5631e8576a3caf606cdc375f97425a67983b420c upstream.
      
      Yue Hu noticed that when parsing device tree the allocated platform data
      was never freed. Since it's not used beyond the function scope, this
      switches to using a stack variable instead.
      Reported-by: NYue Hu <huyue2@yulong.com>
      Fixes: 35da6094 ("pstore/ram: add Device Tree bindings")
      Cc: stable@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      483ac8e6
    • J
      net: dsa: realtek-smi: fix OF child-node lookup · a10cabbf
      Johan Hovold 提交于
      commit 3f1bb6abdf19cfa89860b3bc9e7f31b44b6a0ba1 upstream.
      
      Use the new of_get_compatible_child() helper to look up child nodes to
      avoid ever matching non-child nodes elsewhere in the tree.
      
      Also fix up the related struct device_node leaks.
      
      Fixes: d8652956 ("net: dsa: realtek-smi: Add Realtek SMI driver")
      Cc: stable <stable@vger.kernel.org>     # 4.19: 36156f92
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a10cabbf
    • P
      kbuild: Disable LD_DEAD_CODE_DATA_ELIMINATION with ftrace & GCC <= 4.7 · 0098f2e7
      Paul Burton 提交于
      commit 16fd20aa98080c2fa666dc384036ec08c80af710 upstream.
      
      When building using GCC 4.7 or older, -ffunction-sections & the -pg flag
      used by ftrace are incompatible. This causes warnings or build failures
      (where -Werror applies) such as the following:
      
        arch/mips/generic/init.c:
          error: -ffunction-sections disabled; it makes profiling impossible
      
      This used to be taken into account by the ordering of calls to cc-option
      from within the top-level Makefile, which was introduced by commit
      90ad4052 ("kbuild: avoid conflict between -ffunction-sections and
      -pg on gcc-4.7"). Unfortunately this was broken when the
      CONFIG_LD_DEAD_CODE_DATA_ELIMINATION cc-option check was moved to
      Kconfig in commit e85d1d65 ("kbuild: test dead code/data elimination
      support in Kconfig"), because the flags used by this check no longer
      include -pg.
      
      Fix this by not allowing CONFIG_LD_DEAD_CODE_DATA_ELIMINATION to be
      enabled at the same time as ftrace/CONFIG_FUNCTION_TRACER when building
      using GCC 4.7 or older.
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Fixes: e85d1d65 ("kbuild: test dead code/data elimination support in Kconfig")
      Reported-by: NGeert Uytterhoeven <geert@linux-m68k.org>
      Cc: Nicholas Piggin <npiggin@gmail.com>
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0098f2e7
    • A
      RDMA/vmw_pvrdma: Return the correct opcode when creating WR · ec485378
      Adit Ranadive 提交于
      commit 6325e01b6cdf4636b721cf7259c1616e3cf28ce2 upstream.
      
      Since the IB_WR_REG_MR opcode value changed, let's set the PVRDMA device
      opcodes explicitly.
      Reported-by: NRuishuang Wang <ruishuangw@vmware.com>
      Fixes: 9a59739bd01f ("IB/rxe: Revise the ib_wr_opcode enum")
      Cc: stable@vger.kernel.org
      Reviewed-by: NBryan Tan <bryantan@vmware.com>
      Reviewed-by: NRuishuang Wang <ruishuangw@vmware.com>
      Reviewed-by: NVishnu Dasa <vdasa@vmware.com>
      Signed-off-by: NAdit Ranadive <aditr@vmware.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ec485378
    • L
      RDMA/nldev: Don't expose unsafe global rkey to regular user · 836edf22
      Leon Romanovsky 提交于
      commit a9666c1cae8dbcd1a9aacd08a778bf2a28eea300 upstream.
      
      Unsafe global rkey is considered dangerous because it exposes memory
      registered for all memory in the system. Only users with a QP on the same
      PD can use the rkey, and generally those QPs will already know the
      value. However, out of caution, do not expose the value to unprivleged
      users on the local system. Require CAP_NET_ADMIN instead.
      
      Cc: <stable@vger.kernel.org> # 4.16
      Fixes: 29cf1351 ("RDMA/nldev: provide detailed PD information")
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      836edf22
    • S
      media: v4l: ioctl: Validate num_planes for debug messages · 8f4a0e7d
      Sakari Ailus 提交于
      commit 7fe9f01c04c2673bd6662c35b664f0f91888b96f upstream.
      
      The num_planes field in struct v4l2_pix_format_mplane is used in a loop
      before validating it. As the use is printing a debug message in this case,
      just cap the value to the maximum allowed.
      Signed-off-by: NSakari Ailus <sakari.ailus@linux.intel.com>
      Cc: stable@vger.kernel.org
      Reviewed-by: NThierry Reding <treding@nvidia.com>
      Signed-off-by: NHans Verkuil <hverkuil-cisco@xs4all.nl>
      Cc: <stable@vger.kernel.org>      # for v4.12 and up
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f4a0e7d
    • J
      mfd: tps6586x: Handle interrupts on suspend · d846f48c
      Jonathan Hunter 提交于
      commit ac4ca4b9f4623ba5e1ea7a582f286567c611e027 upstream.
      
      The tps6586x driver creates an irqchip that is used by its various child
      devices for managing interrupts. The tps6586x-rtc device is one of its
      children that uses the tps6586x irqchip. When using the tps6586x-rtc as
      a wake-up device from suspend, the following is seen:
      
       PM: Syncing filesystems ... done.
       Freezing user space processes ... (elapsed 0.001 seconds) done.
       OOM killer disabled.
       Freezing remaining freezable tasks ... (elapsed 0.000 seconds) done.
       Disabling non-boot CPUs ...
       Entering suspend state LP1
       Enabling non-boot CPUs ...
       CPU1 is up
       tps6586x 3-0034: failed to read interrupt status
       tps6586x 3-0034: failed to read interrupt status
      
      The reason why the tps6586x interrupt status cannot be read is because
      the tps6586x interrupt is not masked during suspend and when the
      tps6586x-rtc interrupt occurs, to wake-up the device, the interrupt is
      seen before the i2c controller has been resumed in order to read the
      tps6586x interrupt status.
      
      The tps6586x-rtc driver sets it's interrupt as a wake-up source during
      suspend, which gets propagated to the parent tps6586x interrupt.
      However, the tps6586x-rtc driver cannot disable it's interrupt during
      suspend otherwise we would never be woken up and so the tps6586x must
      disable it's interrupt instead.
      
      Prevent the tps6586x interrupt handler from executing on exiting suspend
      before the i2c controller has been resumed by disabling the tps6586x
      interrupt on entering suspend and re-enabling it on resuming from
      suspend.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NJon Hunter <jonathanh@nvidia.com>
      Reviewed-by: NDmitry Osipenko <digetx@gmail.com>
      Tested-by: NDmitry Osipenko <digetx@gmail.com>
      Acked-by: NThierry Reding <treding@nvidia.com>
      Signed-off-by: NLee Jones <lee.jones@linaro.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d846f48c
    • J
      OF: properties: add missing of_node_put · a752c6d6
      Julia Lawall 提交于
      commit 28b170e88bc0c7509e6724717c15cb4b5686026e upstream.
      
      Add an of_node_put when the result of of_graph_get_remote_port_parent is
      not available.
      
      The semantic match that finds this problem is as follows
      (http://coccinelle.lip6.fr):
      
      // <smpl>
      @r exists@
      local idexpression e;
      expression x;
      @@
      e = of_graph_get_remote_port_parent(...);
      ... when != x = e
          when != true e == NULL
          when != of_node_put(e)
          when != of_fwnode_handle(e)
      (
      return e;
      |
      *return ...;
      )
      // </smpl>
      Signed-off-by: NJulia Lawall <Julia.Lawall@lip6.fr>
      Cc: stable@vger.kernel.org
      Signed-off-by: NRob Herring <robh@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a752c6d6
    • Z
      drm/i915/gvt: Fix mmap range check · ac8b9e8e
      Zhenyu Wang 提交于
      commit 51b00d8509dc69c98740da2ad07308b630d3eb7d upstream.
      
      This is to fix missed mmap range check on vGPU bar2 region
      and only allow to map vGPU allocated GMADDR range, which means
      user space should support sparse mmap to get proper offset for
      mmap vGPU aperture. And this takes care of actual pgoff in mmap
      request as original code always does from beginning of vGPU
      aperture.
      
      Fixes: 659643f7 ("drm/i915/gvt/kvmgt: add vfio/mdev support to KVMGT")
      Cc: "Monroy, Rodrigo Axel" <rodrigo.axel.monroy@intel.com>
      Cc: "Orrala Contreras, Alfredo" <alfredo.orrala.contreras@intel.com>
      Cc: stable@vger.kernel.org # v4.10+
      Reviewed-by: NHang Yuan <hang.yuan@intel.com>
      Signed-off-by: NZhenyu Wang <zhenyuw@linux.intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ac8b9e8e
    • H
      MIPS: lantiq: Fix IPI interrupt handling · 434b1b91
      Hauke Mehrtens 提交于
      commit 2b4dba55b04b212a7fd1f0395b41d79ee3a9801b upstream.
      
      This makes SMP on the vrx200 work again, by removing all the MIPS CPU
      interrupt specific code and making it fully use the generic MIPS CPU
      interrupt controller.
      
      The mti,cpu-interrupt-controller from irq-mips-cpu.c now handles the CPU
      interrupts and also the IPI interrupts which are used to communication
      between the CPUs in a SMP system. The generic interrupt code was
      already used before but the interrupt vectors were overwritten again
      when we called set_vi_handler() in the lantiq interrupt driver and we
      also provided our own plat_irq_dispatch() function which overwrote the
      weak generic implementation. Now the code uses the generic handler for
      the MIPS CPU interrupts including the IPI interrupts and registers a
      handler for the CPU interrupts which are handled by the lantiq ICU with
      irq_set_chained_handler() which was already called before.
      
      Calling the set_c0_status() function is also not needed any more because
      the generic MIPS CPU interrupt already activates the needed bits.
      
      Fixes: 1eed4004 ("MIPS: smp-mt: Use CPU interrupt controller IPI IRQ domain support")
      Cc: stable@kernel.org # v4.12
      Signed-off-by: NHauke Mehrtens <hauke@hauke-m.de>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: jhogan@kernel.org
      Cc: ralf@linux-mips.org
      Cc: john@phrozen.org
      Cc: linux-mips@linux-mips.org
      Cc: linux-mips@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      434b1b91
    • R
      MIPS: BCM47XX: Setup struct device for the SoC · 19f41f32
      Rafał Miłecki 提交于
      commit 321c46b91550adc03054125fa7a1639390608e1a upstream.
      
      So far we never had any device registered for the SoC. This resulted in
      some small issues that we kept ignoring like:
      1) Not working GPIOLIB_IRQCHIP (gpiochip_irqchip_add_key() failing)
      2) Lack of proper tree in the /sys/devices/
      3) mips_dma_alloc_coherent() silently handling empty coherent_dma_mask
      
      Kernel 4.19 came with a lot of DMA changes and caused a regression on
      bcm47xx. Starting with the commit f8c55dc6 ("MIPS: use generic dma
      noncoherent ops for simple noncoherent platforms") DMA coherent
      allocations just fail. Example:
      [    1.114914] bgmac_bcma bcma0:2: Allocation of TX ring 0x200 failed
      [    1.121215] bgmac_bcma bcma0:2: Unable to alloc memory for DMA
      [    1.127626] bgmac_bcma: probe of bcma0:2 failed with error -12
      [    1.133838] bgmac_bcma: Broadcom 47xx GBit MAC driver loaded
      
      The bgmac driver also triggers a WARNING:
      [    0.959486] ------------[ cut here ]------------
      [    0.964387] WARNING: CPU: 0 PID: 1 at ./include/linux/dma-mapping.h:516 bgmac_enet_probe+0x1b4/0x5c4
      [    0.973751] Modules linked in:
      [    0.976913] CPU: 0 PID: 1 Comm: swapper Not tainted 4.19.9 #0
      [    0.982750] Stack : 804a0000 804597c4 00000000 00000000 80458fd8 8381bc2c 838282d4 80481a47
      [    0.991367]         8042e3ec 00000001 804d38f0 00000204 83980000 00000065 8381bbe0 6f55b24f
      [    0.999975]         00000000 00000000 80520000 00002018 00000000 00000075 00000007 00000000
      [    1.008583]         00000000 80480000 000ee811 00000000 00000000 00000000 80432c00 80248db8
      [    1.017196]         00000009 00000204 83980000 803ad7b0 00000000 801feeec 00000000 804d0000
      [    1.025804]         ...
      [    1.028325] Call Trace:
      [    1.030875] [<8000aef8>] show_stack+0x58/0x100
      [    1.035513] [<8001f8b4>] __warn+0xe4/0x118
      [    1.039708] [<8001f9a4>] warn_slowpath_null+0x48/0x64
      [    1.044935] [<80248db8>] bgmac_enet_probe+0x1b4/0x5c4
      [    1.050101] [<802498e0>] bgmac_probe+0x558/0x590
      [    1.054906] [<80252fd0>] bcma_device_probe+0x38/0x70
      [    1.060017] [<8020e1e8>] really_probe+0x170/0x2e8
      [    1.064891] [<8020e714>] __driver_attach+0xa4/0xec
      [    1.069784] [<8020c1e0>] bus_for_each_dev+0x58/0xb0
      [    1.074833] [<8020d590>] bus_add_driver+0xf8/0x218
      [    1.079731] [<8020ef24>] driver_register+0xcc/0x11c
      [    1.084804] [<804b54cc>] bgmac_init+0x1c/0x44
      [    1.089258] [<8000121c>] do_one_initcall+0x7c/0x1a0
      [    1.094343] [<804a1d34>] kernel_init_freeable+0x150/0x218
      [    1.099886] [<803a082c>] kernel_init+0x10/0x104
      [    1.104583] [<80005878>] ret_from_kernel_thread+0x14/0x1c
      [    1.110107] ---[ end trace f441c0d873d1fb5b ]---
      
      This patch setups a "struct device" (and passes it to the bcma) which
      allows fixing all the mentioned problems. It'll also require a tiny bcma
      patch which will follow through the wireless tree & its maintainer.
      
      Fixes: f8c55dc6 ("MIPS: use generic dma noncoherent ops for simple noncoherent platforms")
      Signed-off-by: NRafał Miłecki <rafal@milecki.pl>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Acked-by: NHauke Mehrtens <hauke@hauke-m.de>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: linux-wireless@vger.kernel.org
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: linux-mips@linux-mips.org
      Cc: linux-kernel@vger.kernel.org
      Cc: stable@vger.kernel.org # v4.19+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      19f41f32
    • A
      mips: fix n32 compat_ipc_parse_version · 8f469dc0
      Arnd Bergmann 提交于
      commit 5a9372f751b5350e0ce3d2ee91832f1feae2c2e5 upstream.
      
      While reading through the sysvipc implementation, I noticed that the n32
      semctl/shmctl/msgctl system calls behave differently based on whether
      o32 support is enabled or not: Without o32, the IPC_64 flag passed by
      user space is rejected but calls without that flag get IPC_64 behavior.
      
      As far as I can tell, this was inadvertently changed by a cleanup patch
      but never noticed by anyone, possibly nobody has tried using sysvipc
      on n32 after linux-3.19.
      
      Change it back to the old behavior now.
      
      Fixes: 78aaf956 ("MIPS: Compat: Fix build error if CONFIG_MIPS32_COMPAT but no compat ABI.")
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: linux-mips@vger.kernel.org
      Cc: stable@vger.kernel.org # 3.19+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f469dc0
    • I
      scsi: sd: Fix cache_type_store() · 9d37f4a0
      Ivan Mironov 提交于
      commit 44759979a49bfd2d20d789add7fa81a21eb1a4ab upstream.
      
      Changing of caching mode via /sys/devices/.../scsi_disk/.../cache_type may
      fail if device responds to MODE SENSE command with DPOFUA flag set, and
      then checks this flag to be not set on MODE SELECT command.
      
      In this scenario, when trying to change cache_type, write always fails:
      
      	# echo "none" >cache_type
      	bash: echo: write error: Invalid argument
      
      And following appears in dmesg:
      
      	[13007.865745] sd 1:0:1:0: [sda] Sense Key : Illegal Request [current]
      	[13007.865753] sd 1:0:1:0: [sda] Add. Sense: Invalid field in parameter list
      
      From SBC-4 r15, 6.5.1 "Mode pages overview", description of DEVICE-SPECIFIC
      PARAMETER field in the mode parameter header:
      	...
      	The write protect (WP) bit for mode data sent with a MODE SELECT
      	command shall be ignored by the device server.
      	...
      	The DPOFUA bit is reserved for mode data sent with a MODE SELECT
      	command.
      	...
      
      The remaining bits in the DEVICE-SPECIFIC PARAMETER byte are also reserved
      and shall be set to zero.
      
      [mkp: shuffled commentary to commit description]
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NIvan Mironov <mironov.ivan@gmail.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9d37f4a0
    • S
      scsi: core: Synchronize request queue PM status only on successful resume · d368f540
      Stanley Chu 提交于
      commit 3f7e62bba0003f9c68f599f5997c4647ef5b4f4e upstream.
      
      The commit 356fd266 ("scsi: Set request queue runtime PM status back to
      active on resume") fixed up the inconsistent RPM status between request
      queue and device. However changing request queue RPM status shall be done
      only on successful resume, otherwise status may be still inconsistent as
      below,
      
      Request queue: RPM_ACTIVE
      Device: RPM_SUSPENDED
      
      This ends up soft lockup because requests can be submitted to underlying
      devices but those devices and their required resource are not resumed.
      
      For example,
      
      After above inconsistent status happens, IO request can be submitted to UFS
      device driver but required resource (like clock) is not resumed yet thus
      lead to warning as below call stack,
      
      WARN_ON(hba->clk_gating.state != CLKS_ON);
      ufshcd_queuecommand
      scsi_dispatch_cmd
      scsi_request_fn
      __blk_run_queue
      cfq_insert_request
      __elv_add_request
      blk_flush_plug_list
      blk_finish_plug
      jbd2_journal_commit_transaction
      kjournald2
      
      We may see all behind IO requests hang because of no response from storage
      host or device and then soft lockup happens in system. In the end, system
      may crash in many ways.
      
      Fixes: 356fd266 (scsi: Set request queue runtime PM status back to active on resume)
      Cc: stable@vger.kernel.org
      Signed-off-by: NStanley Chu <stanley.chu@mediatek.com>
      Reviewed-by: NBart Van Assche <bvanassche@acm.org>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d368f540