1. 10 11月, 2019 15 次提交
  2. 06 11月, 2019 25 次提交
    • G
      Linux 4.19.82 · 5ee93551
      Greg Kroah-Hartman 提交于
      5ee93551
    • T
      Revert "ALSA: hda: Flush interrupts on disabling" · 914a7d42
      Takashi Iwai 提交于
      [ Upstream commit 1a7f60b9df614bb36d14dc0c0bc898a31b2b506f ]
      
      This reverts commit caa8422d01e983782548648e125fd617cadcec3f.
      
      It turned out that this commit caused a regression at shutdown /
      reboot, as the synchronize_irq() calls seems blocking the whole
      shutdown.  Also another part of the change about shuffling the call
      order looks suspicious; the azx_stop_chip() call disables the CORB /
      RIRB while the others may still need the CORB/RIRB update.
      
      Since the original commit itself was a cargo-fix, let's revert the
      whole patch.
      
      Fixes: caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling")
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205333
      BugLinK: https://bugs.freedesktop.org/show_bug.cgi?id=111174Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Link: https://lore.kernel.org/r/20191028081056.22010-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      914a7d42
    • N
      powerpc/powernv: Fix CPU idle to be called with IRQs disabled · 8f560302
      Nicholas Piggin 提交于
      [ Upstream commit 7d6475051fb3d9339c5c760ed9883bc0a9048b21 ]
      
      Commit e78a7614f3876 ("idle: Prevent late-arriving interrupts from
      disrupting offline") changes arch_cpu_idle_dead to be called with
      interrupts disabled, which triggers the WARN in pnv_smp_cpu_kill_self.
      
      Fix this by fixing up irq_happened after hard disabling, rather than
      requiring there are no pending interrupts, similarly to what was done
      done until commit 2525db04 ("powerpc/powernv: Simplify lazy IRQ
      handling in CPU offline").
      
      Fixes: e78a7614f3876 ("idle: Prevent late-arriving interrupts from disrupting offline")
      Reported-by: NPaul Mackerras <paulus@samba.org>
      Signed-off-by: NNicholas Piggin <npiggin@gmail.com>
      [mpe: Add unexpected_mask rather than checking for known bad values,
            change the WARN_ON() to a WARN_ON_ONCE()]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20191022115814.22456-1-npiggin@gmail.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      8f560302
    • J
      ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface · 92930e92
      Justin Song 提交于
      [ Upstream commit e2995b95a914bbc6b5352be27d5d5f33ec802d2c ]
      
      This patch adds native DSD support for Gustard U16/X26 USB Interface.
      Tested using VID and fp->dsd_raw method.
      Signed-off-by: NJustin Song <flyingecar@gmail.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/CA+9XP1ipsFn+r3bCBKRinQv-JrJ+EHOGBdZWZoMwxFv0R8Y1MQ@mail.gmail.comSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      92930e92
    • J
      ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel · c08182db
      Jussi Laako 提交于
      [ Upstream commit 0067e154b11e236d62a7a8205f321b097c21a35b ]
      
      Oppo has issued firmware updates that change alt setting used for DSD
      support. However, these devices seem to support auto-detection, so
      support is moved from explicit whitelisting to auto-detection.
      
      Also Rotel devices have USB interfaces that support DSD with
      auto-detection.
      Signed-off-by: NJussi Laako <jussi@sonarnerd.net>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c08182db
    • J
      ALSA: usb-audio: DSD auto-detection for Playback Designs · d8808d2e
      Jussi Laako 提交于
      [ Upstream commit eb7505d52a2f8b0cfc3fd7146d8cb2dab5a73f0d ]
      
      Add DSD support auto-detection for newer Playback Designs devices. Older
      device generations have a different USB interface implementation.
      
      Keep the auto-detection VID whitelist sorted.
      Signed-off-by: NJussi Laako <jussi@sonarnerd.net>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d8808d2e
    • T
      ALSA: timer: Fix mutex deadlock at releasing card · 83131743
      Takashi Iwai 提交于
      [ Upstream commit a39331867335d4a94b6165e306265c9e24aca073 ]
      
      When a card is disconnected while in use, the system waits until all
      opened files are closed then releases the card.  This is done via
      put_device() of the card device in each device release code.
      
      The recently reported mutex deadlock bug happens in this code path;
      snd_timer_close() for the timer device deals with the global
      register_mutex and it calls put_device() there.  When this timer
      device is the last one, the card gets freed and it eventually calls
      snd_timer_free(), which has again the protection with the global
      register_mutex -- boom.
      
      Basically put_device() call itself is race-free, so a relative simple
      workaround is to move this put_device() call out of the mutex.  For
      achieving that, in this patch, snd_timer_close_locked() got a new
      argument to store the card device pointer in return, and each caller
      invokes put_device() with the returned object after the mutex unlock.
      Reported-and-tested-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      83131743
    • T
      ALSA: timer: Simplify error path in snd_timer_open() · 145fadf6
      Takashi Iwai 提交于
      [ Upstream commit 41672c0c24a62699d20aab53b98d843b16483053 ]
      
      Just a minor refactoring to use the standard goto for error paths in
      snd_timer_open() instead of open code.  The first mutex_lock() is
      moved to the beginning of the function to make the code clearer.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      145fadf6
    • E
      sch_netem: fix rcu splat in netem_enqueue() · a6c91087
      Eric Dumazet 提交于
      commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream.
      
      qdisc_root() use from netem_enqueue() triggers a lockdep warning.
      
      __dev_queue_xmit() uses rcu_read_lock_bh() which is
      not equivalent to rcu_read_lock() + local_bh_disable_bh as far
      as lockdep is concerned.
      
      WARNING: suspicious RCU usage
      5.3.0-rc7+ #0 Not tainted
      -----------------------------
      include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      3 locks held by syz-executor427/8855:
       #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
       #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214
       #1: 00000000b5525c01 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804
       #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
       #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline]
       #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838
      
      stack backtrace:
      CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357
       qdisc_root include/net/sch_generic.h:492 [inline]
       netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479
       __dev_xmit_skb net/core/dev.c:3527 [inline]
       __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838
       dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
       neigh_hh_output include/net/neighbour.h:500 [inline]
       neigh_output include/net/neighbour.h:509 [inline]
       ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228
       __ip_finish_output net/ipv4/ip_output.c:308 [inline]
       __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290
       ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417
       dst_output include/net/dst.h:436 [inline]
       ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125
       ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555
       udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887
       udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174
       inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6c91087
    • V
      net: usb: sr9800: fix uninitialized local variable · 3ecf8529
      Valentin Vidic 提交于
      commit 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 upstream.
      
      Make sure res does not contain random value if the call to
      sr_read_cmd fails for some reason.
      
      Reported-by: syzbot+f1842130bbcfb335bac1@syzkaller.appspotmail.com
      Signed-off-by: NValentin Vidic <vvidic@valentin-vidic.from.hr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ecf8529
    • E
      bonding: fix potential NULL deref in bond_update_slave_arr · 14a703ef
      Eric Dumazet 提交于
      commit a7137534b597b7c303203e6bc3ed87e87a273bb8 upstream.
      
      syzbot got a NULL dereference in bond_update_slave_arr() [1],
      happening after a failure to allocate bond->slave_arr
      
      A workqueue (bond_slave_arr_handler) is supposed to retry
      the allocation later, but if the slave is removed before
      the workqueue had a chance to complete, bond->slave_arr
      can still be NULL.
      
      [1]
      
      Failed to build slave-array.
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      Modules linked in:
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
      RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
      RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
      RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
      FS:  00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
       [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
       [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
       [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
       [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
       [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
       [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
       [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
       [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
       [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
       [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
       [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
       [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
       [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: ee637714 ("bonding: Simplify the xmit function for modes that use xmit_hash")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14a703ef
    • J
      NFC: pn533: fix use-after-free and memleaks · 24aaf7f4
      Johan Hovold 提交于
      commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream.
      
      The driver would fail to deregister and its class device and free
      related resources on late probe errors.
      
      Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
      Fixes: 32ecc75d ("NFC: pn533: change order operations in dev registation")
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24aaf7f4
    • D
      rxrpc: Fix trace-after-put looking at the put peer record · 8d9c4a9b
      David Howells 提交于
      commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 upstream.
      
      rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
      of the refcount - which looks at the debug_id in the peer record.  But
      unless the refcount was reduced to zero, we no longer have the right to
      look in the record and, indeed, it may be deleted by some other thread.
      
      Fix this by getting the debug_id out before decrementing the refcount and
      then passing that into the tracepoint.
      
      This can cause the following symptoms:
      
          BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
          [inline]
          BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
          net/rxrpc/peer_object.c:435
          Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
      
      Fixes: 1159d4b4 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
      Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d9c4a9b
    • D
      rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record · e8e51ce7
      David Howells 提交于
      commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream.
      
      The rxrpc_peer record needs to hold a reference on the rxrpc_local record
      it points as the peer is used as a base to access information in the
      rxrpc_local record.
      
      This can cause problems in __rxrpc_put_peer(), where we need the network
      namespace pointer, and in rxrpc_send_keepalive(), where we need to access
      the UDP socket, leading to symptoms like:
      
          BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
          [inline]
          BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
          net/rxrpc/peer_object.c:435
          Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
      
      Fix this by taking a ref on the local record for the peer record.
      
      Fixes: ace45bec ("rxrpc: Fix firewall route keepalive")
      Fixes: 2baec2c3 ("rxrpc: Support network namespacing")
      Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8e51ce7
    • D
      rxrpc: Fix call ref leak · 570ab0dd
      David Howells 提交于
      commit c48fc11b69e95007109206311b0187a3090591f3 upstream.
      
      When sendmsg() finds a call to continue on with, if the call is in an
      inappropriate state, it doesn't release the ref it just got on that call
      before returning an error.
      
      This causes the following symptom to show up with kasan:
      
      	BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
      	net/rxrpc/output.c:635
      	Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077
      
      where line 635 is:
      
      	whdr.epoch	= htonl(peer->local->rxnet->epoch);
      
      The local endpoint (which cannot be pinned by the call) has been released,
      but not the peer (which is pinned by the call).
      
      Fix this by releasing the call in the error path.
      
      Fixes: 37411cad ("rxrpc: Fix potential NULL-pointer exception")
      Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      570ab0dd
    • E
      llc: fix sk_buff leak in llc_conn_service() · d634bd01
      Eric Biggers 提交于
      commit b74555de21acd791f12c4a1aeaf653dd7ac21133 upstream.
      
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff88811eb3de00 (size 224):
             comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
             backtrace:
               [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
               [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
               [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
               [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
               [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
               [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
               [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
               [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
               [...]
      
      The bug is that most callers of llc_conn_send_pdu() assume it consumes a
      reference to the skb, when actually due to commit b85ab56c ("llc:
      properly handle dev_queue_xmit() return value") it doesn't.
      
      Revert most of that commit, and instead make the few places that need
      llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
      
      Fixes: b85ab56c ("llc: properly handle dev_queue_xmit() return value")
      Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d634bd01
    • E
      llc: fix sk_buff leak in llc_sap_state_process() · 3f3f7409
      Eric Biggers 提交于
      commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream.
      
      syzbot reported:
      
          BUG: memory leak
          unreferenced object 0xffff888116270800 (size 224):
             comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s)
             hex dump (first 32 bytes):
               00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
               00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff  . .*.....@=*....
             backtrace:
               [<000000004d41b4cc>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
               [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline]
               [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline]
               [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
               [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
               [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline]
               [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250  net/core/skbuff.c:5327
               [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0  net/core/sock.c:2225
               [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
               [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
               [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline]
               [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671
               [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
      	 [...]
      
      The bug is that llc_sap_state_process() always takes an extra reference
      to the skb, but sometimes neither llc_sap_next_state() nor
      llc_sap_state_process() itself drops this reference.
      
      Fix it by changing llc_sap_next_state() to never consume a reference to
      the skb, rather than sometimes do so and sometimes not.  Then remove the
      extra skb_get() and kfree_skb() from llc_sap_state_process().
      
      Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com
      Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Biggers <ebiggers@google.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f3f7409
    • S
      batman-adv: Avoid free/alloc race when handling OGM buffer · 948e8eba
      Sven Eckelmann 提交于
      commit 40e220b4218bb3d278e5e8cc04ccdfd1c7ff8307 upstream.
      
      Each slave interface of an B.A.T.M.A.N. IV virtual interface has an OGM
      packet buffer which is initialized using data from netdevice notifier and
      other rtnetlink related hooks. It is sent regularly via various slave
      interfaces of the batadv virtual interface and in this process also
      modified (realloced) to integrate additional state information via TVLV
      containers.
      
      It must be avoided that the worker item is executed without a common lock
      with the netdevice notifier/rtnetlink helpers. Otherwise it can either
      happen that half modified/freed data is sent out or functions modifying the
      OGM buffer try to access already freed memory regions.
      
      Reported-by: syzbot+0cc629f19ccb8534935b@syzkaller.appspotmail.com
      Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol")
      Signed-off-by: NSven Eckelmann <sven@narfation.org>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      948e8eba
    • T
      NFS: Fix an RCU lock leak in nfs4_refresh_delegation_stateid() · 74001646
      Trond Myklebust 提交于
      commit 79cc55422ce99be5964bde208ba8557174720893 upstream.
      
      A typo in nfs4_refresh_delegation_stateid() means we're leaking an
      RCU lock, and always returning a value of 'false'. As the function
      description states, we were always supposed to return 'true' if a
      matching delegation was found.
      
      Fixes: 12f275cd ("NFSv4: Retry CLOSE and DELEGRETURN on NFS4ERR_OLD_STATEID.")
      Cc: stable@vger.kernel.org # v4.15+
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: NAnna Schumaker <Anna.Schumaker@Netapp.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      74001646
    • P
      drm/amdgpu/powerplay/vega10: allow undervolting in p7 · fd9a708c
      Pelle van Gils 提交于
      commit e6f4e274c1e52d1f0bfe293fb44ddf59de6c0374 upstream.
      
      The vega10_odn_update_soc_table() function does not allow the SCLK
      dependent voltage to be set for power-state 7 to a value below the default
      in pptable. Change the for-loop condition to allow undervolting in the
      highest state.
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205277Signed-off-by: NPelle van Gils <pelle@vangils.xyz>
      Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fd9a708c
    • T
      dmaengine: cppi41: Fix cppi41_dma_prep_slave_sg() when idle · 3e285a5c
      Tony Lindgren 提交于
      commit bacdcb6675e170bb2e8d3824da220e10274f42a7 upstream.
      
      Yegor Yefremov <yegorslists@googlemail.com> reported that musb and ftdi
      uart can fail for the first open of the uart unless connected using
      a hub.
      
      This is because the first dma call done by musb_ep_program() must wait
      if cppi41 is PM runtime suspended. Otherwise musb_ep_program() continues
      with other non-dma packets before the DMA transfer is started causing at
      least ftdi uarts to fail to receive data.
      
      Let's fix the issue by waking up cppi41 with PM runtime calls added to
      cppi41_dma_prep_slave_sg() and return NULL if still idled. This way we
      have musb_ep_program() continue with PIO until cppi41 is awake.
      
      Fixes: fdea2d09 ("dmaengine: cppi41: Add basic PM runtime support")
      Reported-by: NYegor Yefremov <yegorslists@googlemail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Cc: stable@vger.kernel.org # v4.9+
      Link: https://lore.kernel.org/r/20191023153138.23442-1-tony@atomide.comSigned-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3e285a5c
    • J
      dmaengine: qcom: bam_dma: Fix resource leak · a0e406be
      Jeffrey Hugo 提交于
      commit 7667819385457b4aeb5fac94f67f52ab52cc10d5 upstream.
      
      bam_dma_terminate_all() will leak resources if any of the transactions are
      committed to the hardware (present in the desc fifo), and not complete.
      Since bam_dma_terminate_all() does not cause the hardware to be updated,
      the hardware will still operate on any previously committed transactions.
      This can cause memory corruption if the memory for the transaction has been
      reassigned, and will cause a sync issue between the BAM and its client(s).
      
      Fix this by properly updating the hardware in bam_dma_terminate_all().
      
      Fixes: e7c0fe2a ("dmaengine: add Qualcomm BAM dma driver")
      Signed-off-by: NJeffrey Hugo <jeffrey.l.hugo@gmail.com>
      Cc: stable@vger.kernel.org
      Link: https://lore.kernel.org/r/20191017152606.34120-1-jeffrey.l.hugo@gmail.comSigned-off-by: NVinod Koul <vkoul@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a0e406be
    • L
      rtlwifi: Fix potential overflow on P2P code · 64efcbc7
      Laura Abbott 提交于
      commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.
      
      Nicolas Waisman noticed that even though noa_len is checked for
      a compatible length it's still possible to overrun the buffers
      of p2pinfo since there's no check on the upper bound of noa_num.
      Bound noa_num against P2P_MAX_NOA_NUM.
      Reported-by: NNicolas Waisman <nico@semmle.com>
      Signed-off-by: NLaura Abbott <labbott@redhat.com>
      Acked-by: NPing-Ke Shih <pkshih@realtek.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      64efcbc7
    • C
      arm64: Ensure VM_WRITE|VM_SHARED ptes are clean by default · a8166916
      Catalin Marinas 提交于
      commit aa57157be69fb599bd4c38a4b75c5aad74a60ec0 upstream.
      
      Shared and writable mappings (__S.1.) should be clean (!dirty) initially
      and made dirty on a subsequent write either through the hardware DBM
      (dirty bit management) mechanism or through a write page fault. A clean
      pte for the arm64 kernel is one that has PTE_RDONLY set and PTE_DIRTY
      clear.
      
      The PAGE_SHARED{,_EXEC} attributes have PTE_WRITE set (PTE_DBM) and
      PTE_DIRTY clear. Prior to commit 73e86cb0 ("arm64: Move PTE_RDONLY
      bit handling out of set_pte_at()"), it was the responsibility of
      set_pte_at() to set the PTE_RDONLY bit and mark the pte clean if the
      software PTE_DIRTY bit was not set. However, the above commit removed
      the pte_sw_dirty() check and the subsequent setting of PTE_RDONLY in
      set_pte_at() while leaving the PAGE_SHARED{,_EXEC} definitions
      unchanged. The result is that shared+writable mappings are now dirty by
      default
      
      Fix the above by explicitly setting PTE_RDONLY in PAGE_SHARED{,_EXEC}.
      In addition, remove the superfluous PTE_DIRTY bit from the kernel PROT_*
      attributes.
      
      Fixes: 73e86cb0 ("arm64: Move PTE_RDONLY bit handling out of set_pte_at()")
      Cc: <stable@vger.kernel.org> # 4.14.x-
      Cc: Will Deacon <will@kernel.org>
      Signed-off-by: NCatalin Marinas <catalin.marinas@arm.com>
      Signed-off-by: NWill Deacon <will@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a8166916
    • H
      s390/idle: fix cpu idle time calculation · 8dd60660
      Heiko Carstens 提交于
      commit 3d7efa4edd07be5c5c3ffa95ba63e97e070e1f3f upstream.
      
      The idle time reported in /proc/stat sometimes incorrectly contains
      huge values on s390. This is caused by a bug in arch_cpu_idle_time().
      
      The kernel tries to figure out when a different cpu entered idle by
      accessing its per-cpu data structure. There is an ordering problem: if
      the remote cpu has an idle_enter value which is not zero, and an
      idle_exit value which is zero, it is assumed it is idle since
      "now". The "now" timestamp however is taken before the idle_enter
      value is read.
      
      Which in turn means that "now" can be smaller than idle_enter of the
      remote cpu. Unconditionally subtracting idle_enter from "now" can thus
      lead to a negative value (aka large unsigned value).
      
      Fix this by moving the get_tod_clock() invocation out of the
      loop. While at it also make the code a bit more readable.
      
      A similar bug also exists for show_idle_time(). Fix this is as well.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: NVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8dd60660