1. 13 12月, 2019 40 次提交
    • D
      iomap: partially revert 4721a601099 (simulated directio short read on EFAULT) · 4c67dbea
      Darrick J. Wong 提交于
      [ Upstream commit 8f67b5adc030553fbc877124306f3f3bdab89aa8 ]
      
      In commit 4721a601099, we tried to fix a problem wherein directio reads
      into a splice pipe will bounce EFAULT/EAGAIN all the way out to
      userspace by simulating a zero-byte short read.  This happens because
      some directio read implementations (xfs) will call
      bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous
      reads, but as soon as we run out of pipe buffers that _get_pages call
      returns EFAULT, which the splice code translates to EAGAIN and bounces
      out to userspace.
      
      In that commit, the iomap code catches the EFAULT and simulates a
      zero-byte read, but that causes assertion errors on regular splice reads
      because xfs doesn't allow short directio reads.  This causes infinite
      splice() loops and assertion failures on generic/095 on overlayfs
      because xfs only permit total success or total failure of a directio
      operation.  The underlying issue in the pipe splice code has now been
      fixed by changing the pipe splice loop to avoid avoid reading more data
      than there is space in the pipe.
      
      Therefore, it's no longer necessary to simulate the short directio, so
      remove the hack from iomap.
      
      Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill")
      Reported-by: NMurphy Zhou <jencce.kernel@gmail.com>
      Ranted-by: NAmir Goldstein <amir73il@gmail.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4c67dbea
    • D
      splice: don't read more than available pipe space · 019b6325
      Darrick J. Wong 提交于
      [ Upstream commit 17614445576b6af24e9cf36607c6448164719c96 ]
      
      In commit 4721a601099, we tried to fix a problem wherein directio reads
      into a splice pipe will bounce EFAULT/EAGAIN all the way out to
      userspace by simulating a zero-byte short read.  This happens because
      some directio read implementations (xfs) will call
      bio_iov_iter_get_pages to grab pipe buffer pages and issue asynchronous
      reads, but as soon as we run out of pipe buffers that _get_pages call
      returns EFAULT, which the splice code translates to EAGAIN and bounces
      out to userspace.
      
      In that commit, the iomap code catches the EFAULT and simulates a
      zero-byte read, but that causes assertion errors on regular splice reads
      because xfs doesn't allow short directio reads.
      
      The brokenness is compounded by splice_direct_to_actor immediately
      bailing on do_splice_to returning <= 0 without ever calling ->actor
      (which empties out the pipe), so if userspace calls back we'll EFAULT
      again on the full pipe, and nothing ever gets copied.
      
      Therefore, teach splice_direct_to_actor to clamp its requests to the
      amount of free space in the pipe and remove the simulated short read
      from the iomap directio code.
      
      Fixes: 4721a601099 ("iomap: dio data corruption and spurious errors when pipes fill")
      Reported-by: NMurphy Zhou <jencce.kernel@gmail.com>
      Ranted-by: NAmir Goldstein <amir73il@gmail.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      019b6325
    • A
      perf script: Fix invalid LBR/binary mismatch error · 484c4d9a
      Adrian Hunter 提交于
      [ Upstream commit 5172672da02e483d9b3c4d814c3482d0c8ffb1a6 ]
      
      The 'len' returned by grab_bb() includes an extra MAXINSN bytes to allow
      for the last instruction, so the the final 'offs' will not be 'len'.
      Fix the error condition logic accordingly.
      
      Before:
      
        $ perf record -e '{intel_pt//,cpu/mem_inst_retired.all_loads,aux-sample-size=8192/pp}:u' grep -rqs jhgjhg /boot
        [ perf record: Woken up 19 times to write data ]
        [ perf record: Captured and wrote 2.274 MB perf.data ]
        $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head
                  grep 13759 [002]  8091.310257:       1862                                        instructions:uH:      5641d58069eb bmexec+0x86b (/bin/grep)
              bmexec+2485:
              00005641d5806b35                        jnz 0x5641d5806bd0              # MISPRED
              00005641d5806bd0                        movzxb  (%r13,%rdx,1), %eax
              00005641d5806bd6                        add %rdi, %rax
              00005641d5806bd9                        movzxb  -0x1(%rax), %edx
              00005641d5806bdd                        cmp %rax, %r14
              00005641d5806be0                        jnb 0x5641d58069c0              # MISPRED
              mismatch of LBR data and executable
              00005641d58069c0                        movzxb  (%r13,%rdx,1), %edi
      
      After:
      
        $ perf script -F +brstackinsn --xed --itrace=i1usl100 | head
                  grep 13759 [002]  8091.310257:       1862                                        instructions:uH:      5641d58069eb bmexec+0x86b (/bin/grep)
              bmexec+2485:
              00005641d5806b35                        jnz 0x5641d5806bd0              # MISPRED
              00005641d5806bd0                        movzxb  (%r13,%rdx,1), %eax
              00005641d5806bd6                        add %rdi, %rax
              00005641d5806bd9                        movzxb  -0x1(%rax), %edx
              00005641d5806bdd                        cmp %rax, %r14
              00005641d5806be0                        jnb 0x5641d58069c0              # MISPRED
              00005641d58069c0                        movzxb  (%r13,%rdx,1), %edi
              00005641d58069c6                        add %rax, %rdi
      
      Fixes: e98df280bc2a ("perf script brstackinsn: Fix recovery from LBR/binary mismatch")
      Reported-by: NAndi Kleen <ak@linux.intel.com>
      Signed-off-by: NAdrian Hunter <adrian.hunter@intel.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Link: http://lore.kernel.org/lkml/20191127095631.15663-1-adrian.hunter@intel.comSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      484c4d9a
    • J
      watchdog: aspeed: Fix clock behaviour for ast2600 · 5cdbe243
      Joel Stanley 提交于
      [ Upstream commit c04571251b3d842096f1597f5d4badb508be016d ]
      
      The ast2600 no longer uses bit 4 in the control register to indicate a
      1MHz clock (It now controls whether this watchdog is reset by a SOC
      reset). This means we do not want to set it. It also does not need to be
      set for the ast2500, as it is read-only on that SoC.
      
      The comment next to the clock rate selection wandered away from where it
      was set, so put it back next to the register setting it's describing.
      
      Fixes: b3528b487448 ("watchdog: aspeed: Add support for AST2600")
      Signed-off-by: NJoel Stanley <joel@jms.id.au>
      Reviewed-by: NCédric Le Goater <clg@kaod.org>
      Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
      Link: https://lore.kernel.org/r/20191108032905.22463-1-joel@jms.id.auSigned-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NWim Van Sebroeck <wim@linux-watchdog.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5cdbe243
    • D
      md/raid0: Fix an error message in raid0_make_request() · 23c81ea6
      Dan Carpenter 提交于
      [ Upstream commit e3fc3f3d0943b126f76b8533960e4168412d9e5a ]
      
      The first argument to WARN() is supposed to be a condition.  The
      original code will just print the mdname() instead of the full warning
      message.
      
      Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.")
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      23c81ea6
    • T
      ALSA: hda - Fix pending unsol events at shutdown · ba2247f9
      Takashi Iwai 提交于
      [ Upstream commit ca58f55108fee41d87c9123f85ad4863e5de7f45 ]
      
      This is an alternative fix attemp for the issue reported in the commit
      caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling") that was
      reverted later due to regressions.  Instead of tweaking the hardware
      disablement order and the enforced irq flushing, do calling
      cancel_work_sync() of the unsol work early enough, and explicitly
      ignore the unsol events during the shutdown by checking the
      bus->shutdown flag.
      
      Fixes: caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling")
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Link: https://lore.kernel.org/r/s5h1ruxt9cz.wl-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ba2247f9
    • J
      binder: Handle start==NULL in binder_update_page_range() · af0174a6
      Jann Horn 提交于
      commit 2a9edd056ed4fbf9d2e797c3fc06335af35bccc4 upstream.
      
      The old loop wouldn't stop when reaching `start` if `start==NULL`, instead
      continuing backwards to index -1 and crashing.
      
      Luckily you need to be highly privileged to map things at NULL, so it's not
      a big problem.
      
      Fix it by adjusting the loop so that the loop variable is always in bounds.
      
      This patch is deliberately minimal to simplify backporting, but IMO this
      function could use a refactor. The jump labels in the second loop body are
      horrible (the error gotos should be jumping to free_range instead), and
      both loops would look nicer if they just iterated upwards through indices.
      And the up_read()+mmput() shouldn't be duplicated like that.
      
      Cc: stable@vger.kernel.org
      Fixes: 457b9a6f ("Staging: android: add binder driver")
      Signed-off-by: NJann Horn <jannh@google.com>
      Acked-by: NChristian Brauner <christian.brauner@ubuntu.com>
      Link: https://lore.kernel.org/r/20191018205631.248274-3-jannh@google.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      af0174a6
    • J
      binder: Fix race between mmap() and binder_alloc_print_pages() · fe0d31ed
      Jann Horn 提交于
      commit 8eb52a1ee37aafd9b796713aa0b3ab9cbc455be3 upstream.
      
      binder_alloc_print_pages() iterates over
      alloc->pages[0..alloc->buffer_size-1] under alloc->mutex.
      binder_alloc_mmap_handler() writes alloc->pages and alloc->buffer_size
      without holding that lock, and even writes them before the last bailout
      point.
      
      Unfortunately we can't take the alloc->mutex in the ->mmap() handler
      because mmap_sem can be taken while alloc->mutex is held.
      So instead, we have to locklessly check whether the binder_alloc has been
      fully initialized with binder_alloc_get_vma(), like in
      binder_alloc_new_buf_locked().
      
      Fixes: 8ef4665a ("android: binder: Add page usage in binder stats")
      Cc: stable@vger.kernel.org
      Signed-off-by: NJann Horn <jannh@google.com>
      Acked-by: NChristian Brauner <christian.brauner@ubuntu.com>
      Link: https://lore.kernel.org/r/20191018205631.248274-1-jannh@google.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe0d31ed
    • N
      vcs: prevent write access to vcsu devices · 627f3b9e
      Nicolas Pitre 提交于
      commit 0c9acb1af77a3cb8707e43f45b72c95266903cee upstream.
      
      Commit d21b0be2 ("vt: introduce unicode mode for /dev/vcs") guarded
      against using devices containing attributes as this is not yet
      implemented. It however failed to guard against writes to any devices
      as this is also unimplemented.
      Reported-by: NOr Cohen <orcohen@paloaltonetworks.com>
      Signed-off-by: NNicolas Pitre <npitre@baylibre.com>
      Cc: <stable@vger.kernel.org> # v4.19+
      Cc: Jiri Slaby <jslaby@suse.com>
      Fixes: d21b0be2 ("vt: introduce unicode mode for /dev/vcs")
      Link: https://lore.kernel.org/r/nycvar.YSQ.7.76.1911051030580.30289@knanqh.ubzrSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      627f3b9e
    • W
      thermal: Fix deadlock in thermal thermal_zone_device_check · fe46db76
      Wei Wang 提交于
      commit 163b00cde7cf2206e248789d2780121ad5e6a70b upstream.
      
      1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone
      device") changed cancel_delayed_work to cancel_delayed_work_sync to avoid
      a use-after-free issue. However, cancel_delayed_work_sync could be called
      insides the WQ causing deadlock.
      
      [54109.642398] c0   1162 kworker/u17:1   D    0 11030      2 0x00000000
      [54109.642437] c0   1162 Workqueue: thermal_passive_wq thermal_zone_device_check
      [54109.642447] c0   1162 Call trace:
      [54109.642456] c0   1162  __switch_to+0x138/0x158
      [54109.642467] c0   1162  __schedule+0xba4/0x1434
      [54109.642480] c0   1162  schedule_timeout+0xa0/0xb28
      [54109.642492] c0   1162  wait_for_common+0x138/0x2e8
      [54109.642511] c0   1162  flush_work+0x348/0x40c
      [54109.642522] c0   1162  __cancel_work_timer+0x180/0x218
      [54109.642544] c0   1162  handle_thermal_trip+0x2c4/0x5a4
      [54109.642553] c0   1162  thermal_zone_device_update+0x1b4/0x25c
      [54109.642563] c0   1162  thermal_zone_device_check+0x18/0x24
      [54109.642574] c0   1162  process_one_work+0x3cc/0x69c
      [54109.642583] c0   1162  worker_thread+0x49c/0x7c0
      [54109.642593] c0   1162  kthread+0x17c/0x1b0
      [54109.642602] c0   1162  ret_from_fork+0x10/0x18
      [54109.643051] c0   1162 kworker/u17:2   D    0 16245      2 0x00000000
      [54109.643067] c0   1162 Workqueue: thermal_passive_wq thermal_zone_device_check
      [54109.643077] c0   1162 Call trace:
      [54109.643085] c0   1162  __switch_to+0x138/0x158
      [54109.643095] c0   1162  __schedule+0xba4/0x1434
      [54109.643104] c0   1162  schedule_timeout+0xa0/0xb28
      [54109.643114] c0   1162  wait_for_common+0x138/0x2e8
      [54109.643122] c0   1162  flush_work+0x348/0x40c
      [54109.643131] c0   1162  __cancel_work_timer+0x180/0x218
      [54109.643141] c0   1162  handle_thermal_trip+0x2c4/0x5a4
      [54109.643150] c0   1162  thermal_zone_device_update+0x1b4/0x25c
      [54109.643159] c0   1162  thermal_zone_device_check+0x18/0x24
      [54109.643167] c0   1162  process_one_work+0x3cc/0x69c
      [54109.643177] c0   1162  worker_thread+0x49c/0x7c0
      [54109.643186] c0   1162  kthread+0x17c/0x1b0
      [54109.643195] c0   1162  ret_from_fork+0x10/0x18
      [54109.644500] c0   1162 cat             D    0  7766      1 0x00000001
      [54109.644515] c0   1162 Call trace:
      [54109.644524] c0   1162  __switch_to+0x138/0x158
      [54109.644536] c0   1162  __schedule+0xba4/0x1434
      [54109.644546] c0   1162  schedule_preempt_disabled+0x80/0xb0
      [54109.644555] c0   1162  __mutex_lock+0x3a8/0x7f0
      [54109.644563] c0   1162  __mutex_lock_slowpath+0x14/0x20
      [54109.644575] c0   1162  thermal_zone_get_temp+0x84/0x360
      [54109.644586] c0   1162  temp_show+0x30/0x78
      [54109.644609] c0   1162  dev_attr_show+0x5c/0xf0
      [54109.644628] c0   1162  sysfs_kf_seq_show+0xcc/0x1a4
      [54109.644636] c0   1162  kernfs_seq_show+0x48/0x88
      [54109.644656] c0   1162  seq_read+0x1f4/0x73c
      [54109.644664] c0   1162  kernfs_fop_read+0x84/0x318
      [54109.644683] c0   1162  __vfs_read+0x50/0x1bc
      [54109.644692] c0   1162  vfs_read+0xa4/0x140
      [54109.644701] c0   1162  SyS_read+0xbc/0x144
      [54109.644708] c0   1162  el0_svc_naked+0x34/0x38
      [54109.845800] c0   1162 D 720.000s 1->7766->7766 cat [panic]
      
      Fixes: 1851799e1d29 ("thermal: Fix use-after-free when unregistering thermal zone device")
      Cc: stable@vger.kernel.org
      Signed-off-by: NWei Wang <wvw@google.com>
      Signed-off-by: NZhang Rui <rui.zhang@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe46db76
    • J
      iomap: Fix pipe page leakage during splicing · b59116ff
      Jan Kara 提交于
      commit 419e9c38aa075ed0cd3c13d47e15954b686bcdb6 upstream.
      
      When splicing using iomap_dio_rw() to a pipe, we may leak pipe pages
      because bio_iov_iter_get_pages() records that the pipe will have full
      extent worth of data however if file size is not block size aligned
      iomap_dio_rw() returns less than what bio_iov_iter_get_pages() set up
      and splice code gets confused leaking a pipe page with the file tail.
      
      Handle the situation similarly to the old direct IO implementation and
      revert iter to actually returned read amount which makes iter consistent
      with value returned from iomap_dio_rw() and thus the splice code is
      happy.
      
      Fixes: ff6a9292 ("iomap: implement direct I/O")
      CC: stable@vger.kernel.org
      Reported-by: syzbot+991400e8eba7e00a26e1@syzkaller.appspotmail.com
      Signed-off-by: NJan Kara <jack@suse.cz>
      Reviewed-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Signed-off-by: NDarrick J. Wong <darrick.wong@oracle.com>
      Reviewed-by: NChristoph Hellwig <hch@lst.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b59116ff
    • V
      RDMA/qib: Validate ->show()/store() callbacks before calling them · 18a23622
      Viresh Kumar 提交于
      commit 7ee23491b39259ae83899dd93b2a29ef0f22f0a7 upstream.
      
      The permissions of the read-only or write-only sysfs files can be
      changed (as root) and the user can then try to read a write-only file or
      write to a read-only file which will lead to kernel crash here.
      
      Protect against that by always validating the show/store callbacks.
      
      Link: https://lore.kernel.org/r/d45cc26361a174ae12dbb86c994ef334d257924b.1573096807.git.viresh.kumar@linaro.orgSigned-off-by: NViresh Kumar <viresh.kumar@linaro.org>
      Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18a23622
    • J
      can: ucan: fix non-atomic allocation in completion handler · 42bd3e78
      Johan Hovold 提交于
      commit 870db5d1015c8bd63e93b579e857223c96249ff7 upstream.
      
      USB completion handlers are called in atomic context and must
      specifically not allocate memory using GFP_KERNEL.
      
      Fixes: 9f2d3eae ("can: ucan: add driver for Theobroma Systems UCAN devices")
      Cc: stable <stable@vger.kernel.org>     # 4.19
      Cc: Jakob Unterwurzacher <jakob.unterwurzacher@theobroma-systems.com>
      Cc: Martin Elshuber <martin.elshuber@theobroma-systems.com>
      Cc: Philipp Tomsich <philipp.tomsich@theobroma-systems.com>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      42bd3e78
    • S
      mwifiex: update set_mac_address logic · 59101399
      Sharvari Harisangam 提交于
      commit 7afb94da3cd8a28ed7ae268143117bf1ac8a3371 upstream.
      
      In set_mac_address, driver check for interfaces with same bss_type
      For first STA entry, this would return 3 interfaces since all priv's have
      bss_type as 0 due to kzalloc. Thus mac address gets changed for STA
      unexpected. This patch adds check for first STA and avoids mac address
      change. This patch also adds mac_address change for p2p based on bss_num
      type.
      Signed-off-by: NSharvari Harisangam <sharvari@marvell.com>
      Signed-off-by: NGanapathi Bhat <gbhat@marvell.com>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Cc: Brian Norris <briannorris@google.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      59101399
    • G
      spi: atmel: Fix CS high support · a1371a61
      Gregory CLEMENT 提交于
      commit 7cbb16b2122c09f2ae393a1542fed628505b9da6 upstream.
      
      Until a few years ago, this driver was only used with CS GPIO. The
      only exception is CS0 on AT91RM9200 which has to use internal CS. A
      limitation of the internal CS is that they don't support CS High.
      
      So by using the CS GPIO the CS high configuration was available except
      for the particular case CS0 on RM9200.
      
      When the support for the internal chip-select was added, the check of
      the CS high support was not updated. Due to this the driver accepts
      this configuration for all the SPI controller v2 (used by all SoCs
      excepting the AT91RM9200) whereas the hardware doesn't support it for
      infernal CS.
      
      This patch fixes the test to match the hardware capabilities.
      
      Fixes: 48203034 ("spi: atmel: add support for the internal chip-select of the spi controller")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NGregory CLEMENT <gregory.clement@bootlin.com>
      Link: https://lore.kernel.org/r/20191017141846.7523-3-gregory.clement@bootlin.comSigned-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a1371a61
    • N
      crypto: user - fix memory leak in crypto_report · 351a567e
      Navid Emamdoost 提交于
      commit ffdde5932042600c6807d46c1550b28b0db6a3bc upstream.
      
      In crypto_report, a new skb is created via nlmsg_new(). This skb should
      be released if crypto_report_alg() fails.
      
      Fixes: a38f7907 ("crypto: Add userspace configuration API")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NNavid Emamdoost <navid.emamdoost@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      351a567e
    • A
      crypto: ecdh - fix big endian bug in ECC library · cdaeaea6
      Ard Biesheuvel 提交于
      commit f398243e9fd6a3a059c1ea7b380c40628dbf0c61 upstream.
      
      The elliptic curve arithmetic library used by the EC-DH KPP implementation
      assumes big endian byte order, and unconditionally reverses the byte
      and word order of multi-limb quantities. On big endian systems, the byte
      reordering is not necessary, while the word ordering needs to be retained.
      
      So replace the __swab64() invocation with a call to be64_to_cpu() which
      should do the right thing for both little and big endian builds.
      
      Fixes: 3c4b2390 ("crypto: ecdh - Add ECDH software support")
      Cc: <stable@vger.kernel.org> # v4.9+
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cdaeaea6
    • M
      crypto: ccp - fix uninitialized list head · be7993dd
      Mark Salter 提交于
      commit 691505a803a7f223b2af621848d581259c61f77d upstream.
      
      A NULL-pointer dereference was reported in fedora bz#1762199 while
      reshaping a raid6 array after adding a fifth drive to an existing
      array.
      
      [   47.343549] md/raid:md0: raid level 6 active with 3 out of 5 devices, algorithm 2
      [   47.804017] md0: detected capacity change from 0 to 7885289422848
      [   47.822083] Unable to handle kernel read from unreadable memory at virtual address 0000000000000000
      ...
      [   47.940477] CPU: 1 PID: 14210 Comm: md0_raid6 Tainted: G        W         5.2.18-200.fc30.aarch64 #1
      [   47.949594] Hardware name: AMD Overdrive/Supercharger/To be filled by O.E.M., BIOS ROD1002C 04/08/2016
      [   47.958886] pstate: 00400085 (nzcv daIf +PAN -UAO)
      [   47.963668] pc : __list_del_entry_valid+0x2c/0xa8
      [   47.968366] lr : ccp_tx_submit+0x84/0x168 [ccp]
      [   47.972882] sp : ffff00001369b970
      [   47.976184] x29: ffff00001369b970 x28: ffff00001369bdb8
      [   47.981483] x27: 00000000ffffffff x26: ffff8003b758af70
      [   47.986782] x25: ffff8003b758b2d8 x24: ffff8003e6245818
      [   47.992080] x23: 0000000000000000 x22: ffff8003e62450c0
      [   47.997379] x21: ffff8003dfd6add8 x20: 0000000000000003
      [   48.002678] x19: ffff8003e6245100 x18: 0000000000000000
      [   48.007976] x17: 0000000000000000 x16: 0000000000000000
      [   48.013274] x15: 0000000000000000 x14: 0000000000000000
      [   48.018572] x13: ffff7e000ef83a00 x12: 0000000000000001
      [   48.023870] x11: ffff000010eff998 x10: 00000000000019a0
      [   48.029169] x9 : 0000000000000000 x8 : ffff8003e6245180
      [   48.034467] x7 : 0000000000000000 x6 : 000000000000003f
      [   48.039766] x5 : 0000000000000040 x4 : ffff8003e0145080
      [   48.045064] x3 : dead000000000200 x2 : 0000000000000000
      [   48.050362] x1 : 0000000000000000 x0 : ffff8003e62450c0
      [   48.055660] Call trace:
      [   48.058095]  __list_del_entry_valid+0x2c/0xa8
      [   48.062442]  ccp_tx_submit+0x84/0x168 [ccp]
      [   48.066615]  async_tx_submit+0x224/0x368 [async_tx]
      [   48.071480]  async_trigger_callback+0x68/0xfc [async_tx]
      [   48.076784]  ops_run_biofill+0x178/0x1e8 [raid456]
      [   48.081566]  raid_run_ops+0x248/0x818 [raid456]
      [   48.086086]  handle_stripe+0x864/0x1208 [raid456]
      [   48.090781]  handle_active_stripes.isra.0+0xb0/0x278 [raid456]
      [   48.096604]  raid5d+0x378/0x618 [raid456]
      [   48.100602]  md_thread+0xa0/0x150
      [   48.103905]  kthread+0x104/0x130
      [   48.107122]  ret_from_fork+0x10/0x18
      [   48.110686] Code: d2804003 f2fbd5a3 eb03003f 54000320 (f9400021)
      [   48.116766] ---[ end trace 23f390a527f7ad77 ]---
      
      ccp_tx_submit is passed a dma_async_tx_descriptor which is contained in
      a ccp_dma_desc and adds it to a ccp channel's pending list:
      
      	list_del(&desc->entry);
      	list_add_tail(&desc->entry, &chan->pending);
      
      The problem is that desc->entry may be uninitialized in the
      async_trigger_callback path where the descriptor was gotten
      from ccp_prep_dma_interrupt which got it from ccp_alloc_dma_desc
      which doesn't initialize the desc->entry list head. So, just
      initialize the list head to avoid the problem.
      
      Cc: <stable@vger.kernel.org>
      Reported-by: NSahaj Sarup <sahajsarup@gmail.com>
      Signed-off-by: NMark Salter <msalter@redhat.com>
      Acked-by: NGary R Hook <gary.hook@amd.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      be7993dd
    • A
      crypto: af_alg - cast ki_complete ternary op to int · dac11877
      Ayush Sawal 提交于
      commit 64e7f852c47ce99f6c324c46d6a299a5a7ebead9 upstream.
      
      when libkcapi test is executed  using HW accelerator, cipher operation
      return -74.Since af_alg_async_cb->ki_complete treat err as unsigned int,
      libkcapi receive 429467222 even though it expect -ve value.
      
      Hence its required to cast resultlen to int so that proper
      error is returned to libkcapi.
      
      AEAD one shot non-aligned test 2(libkcapi test)
      ./../bin/kcapi   -x 10   -c "gcm(aes)" -i 7815d4b06ae50c9c56e87bd7
      -k ea38ac0c9b9998c80e28fb496a2b88d9 -a
      "853f98a750098bec1aa7497e979e78098155c877879556bb51ddeb6374cbaefc"
      -t "c4ce58985b7203094be1d134c1b8ab0b" -q
      "b03692f86d1b8b39baf2abb255197c98"
      
      Fixes: d887c52d ("crypto: algif_aead - overhaul memory management")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAyush Sawal <ayush.sawal@chelsio.com>
      Signed-off-by: NAtul Gupta <atul.gupta@chelsio.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NAyush Sawal <ayush.sawal@chelsio.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      dac11877
    • T
      crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize · 1e475dc4
      Tudor Ambarus 提交于
      commit 86ef1dfcb561473fbf5e199d58d18c55554d78be upstream.
      
      commit 394a9e044702 ("crypto: cfb - add missing 'chunksize' property")
      adds a test vector where the input length is smaller than the IV length
      (the second test vector). This revealed a NULL pointer dereference in
      the atmel-aes driver, that is caused by passing an incorrect offset in
      scatterwalk_map_and_copy() when atmel_aes_complete() is called.
      
      Do not save the IV in req->info of ablkcipher_request (or equivalently
      req->iv of skcipher_request) when req->nbytes < ivsize, because the IV
      will not be further used.
      
      While touching the code, modify the type of ivsize from int to
      unsigned int, to comply with the return type of
      crypto_ablkcipher_ivsize().
      
      Fixes: 91308019 ("crypto: atmel-aes - properly set IV after {en,de}crypt")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTudor Ambarus <tudor.ambarus@microchip.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1e475dc4
    • C
      crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr · 0d51b4d8
      Christian Lamparter 提交于
      commit 746c908c4d72e49068ab216c3926d2720d71a90d upstream.
      
      This patch fixes a crash that can happen during probe
      when the available dma memory is not enough (this can
      happen if the crypto4xx is built as a module).
      
      The descriptor window mapping would end up being free'd
      twice, once in crypto4xx_build_pdr() and the second time
      in crypto4xx_destroy_sdr().
      
      Fixes: 5d59ad6e ("crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NChristian Lamparter <chunkeey@gmail.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d51b4d8
    • S
      KVM: x86: Grab KVM's srcu lock when setting nested state · 5cbc7ff5
      Sean Christopherson 提交于
      commit ad5996d9a0e8019c3ae5151e687939369acfe044 upstream.
      
      Acquire kvm->srcu for the duration of ->set_nested_state() to fix a bug
      where nVMX derefences ->memslots without holding ->srcu or ->slots_lock.
      
      The other half of nested migration, ->get_nested_state(), does not need
      to acquire ->srcu as it is a purely a dump of internal KVM (and CPU)
      state to userspace.
      
      Detected as an RCU lockdep splat that is 100% reproducible by running
      KVM's state_test selftest with CONFIG_PROVE_LOCKING=y.  Note that the
      failing function, kvm_is_visible_gfn(), is only checking the validity of
      a gfn, it's not actually accessing guest memory (which is more or less
      unsupported during vmx_set_nested_state() due to incorrect MMU state),
      i.e. vmx_set_nested_state() itself isn't fundamentally broken.  In any
      case, setting nested state isn't a fast path so there's no reason to go
      out of our way to avoid taking ->srcu.
      
        =============================
        WARNING: suspicious RCU usage
        5.4.0-rc7+ #94 Not tainted
        -----------------------------
        include/linux/kvm_host.h:626 suspicious rcu_dereference_check() usage!
      
                     other info that might help us debug this:
      
        rcu_scheduler_active = 2, debug_locks = 1
        1 lock held by evmcs_test/10939:
         #0: ffff88826ffcb800 (&vcpu->mutex){+.+.}, at: kvm_vcpu_ioctl+0x85/0x630 [kvm]
      
        stack backtrace:
        CPU: 1 PID: 10939 Comm: evmcs_test Not tainted 5.4.0-rc7+ #94
        Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015
        Call Trace:
         dump_stack+0x68/0x9b
         kvm_is_visible_gfn+0x179/0x180 [kvm]
         mmu_check_root+0x11/0x30 [kvm]
         fast_cr3_switch+0x40/0x120 [kvm]
         kvm_mmu_new_cr3+0x34/0x60 [kvm]
         nested_vmx_load_cr3+0xbd/0x1f0 [kvm_intel]
         nested_vmx_enter_non_root_mode+0xab8/0x1d60 [kvm_intel]
         vmx_set_nested_state+0x256/0x340 [kvm_intel]
         kvm_arch_vcpu_ioctl+0x491/0x11a0 [kvm]
         kvm_vcpu_ioctl+0xde/0x630 [kvm]
         do_vfs_ioctl+0xa2/0x6c0
         ksys_ioctl+0x66/0x70
         __x64_sys_ioctl+0x16/0x20
         do_syscall_64+0x54/0x200
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
        RIP: 0033:0x7f59a2b95f47
      
      Fixes: 8fcc4b59 ("kvm: nVMX: Introduce KVM_CAP_NESTED_STATE")
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Christopherson <sean.j.christopherson@intel.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5cbc7ff5
    • P
      KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES · 6a10f818
      Paolo Bonzini 提交于
      commit cbbaa2727aa3ae9e0a844803da7cef7fd3b94f2b upstream.
      
      KVM does not implement MSR_IA32_TSX_CTRL, so it must not be presented
      to the guests.  It is also confusing to have !ARCH_CAP_TSX_CTRL_MSR &&
      !RTM && ARCH_CAP_TAA_NO: lack of MSR_IA32_TSX_CTRL suggests TSX was not
      hidden (it actually was), yet the value says that TSX is not vulnerable
      to microarchitectural data sampling.  Fix both.
      
      Cc: stable@vger.kernel.org
      Tested-by: NJim Mattson <jmattson@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a10f818
    • P
      KVM: x86: do not modify masked bits of shared MSRs · 5efbd9a9
      Paolo Bonzini 提交于
      commit de1fca5d6e0105c9d33924e1247e2f386efc3ece upstream.
      
      "Shared MSRs" are guest MSRs that are written to the host MSRs but
      keep their value until the next return to userspace.  They support
      a mask, so that some bits keep the host value, but this mask is
      only used to skip an unnecessary MSR write and the value written
      to the MSR is always the guest MSR.
      
      Fix this and, while at it, do not update smsr->values[slot].curr if
      for whatever reason the wrmsr fails.  This should only happen due to
      reserved bits, so the value written to smsr->values[slot].curr
      will not match when the user-return notifier and the host value will
      always be restored.  However, it is untidy and in rare cases this
      can actually avoid spurious WRMSRs on return to userspace.
      
      Cc: stable@vger.kernel.org
      Reviewed-by: NJim Mattson <jmattson@google.com>
      Tested-by: NJim Mattson <jmattson@google.com>
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5efbd9a9
    • Z
      KVM: arm/arm64: vgic: Don't rely on the wrong pending table · 66f8ca55
      Zenghui Yu 提交于
      commit ca185b260951d3b55108c0b95e188682d8a507b7 upstream.
      
      It's possible that two LPIs locate in the same "byte_offset" but target
      two different vcpus, where their pending status are indicated by two
      different pending tables.  In such a scenario, using last_byte_offset
      optimization will lead KVM relying on the wrong pending table entry.
      Let us use last_ptr instead, which can be treated as a byte index into
      a pending table and also, can be vcpu specific.
      
      Fixes: 28077125 ("KVM: arm64: vgic-v3: KVM_DEV_ARM_VGIC_SAVE_PENDING_TABLES")
      Cc: stable@vger.kernel.org
      Signed-off-by: NZenghui Yu <yuzenghui@huawei.com>
      Signed-off-by: NMarc Zyngier <maz@kernel.org>
      Acked-by: NEric Auger <eric.auger@redhat.com>
      Link: https://lore.kernel.org/r/20191029071919.177-4-yuzenghui@huawei.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      66f8ca55
    • M
      arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node" · e8d9825d
      Marek Szyprowski 提交于
      commit bed903167ae5b5532eda5d7db26de451bd232da5 upstream.
      
      Commit ef72171b ("arm64: dts: exynos: Remove unneeded address space
      mapping for soc node") changed the address and size cells in root node from
      2 to 1, but /memory nodes for the affected boards were not updated. This
      went unnoticed on Exynos5433-based TM2(e) boards, because they use u-boot,
      which updates /memory node to the correct values. On the other hand, the
      mentioned commit broke boot on Exynos7-based Espresso board, which
      bootloader doesn't touch /memory node at all.
      
      This patch reverts commit ef72171b ("arm64: dts: exynos: Remove
      unneeded address space mapping for soc node"), so Exynos5433 and Exynos7
      SoCs again matches other ARM64 platforms with 64bit mappings in root
      node.
      Reported-by: NAlim Akhtar <alim.akhtar@samsung.com>
      Fixes: ef72171b ("arm64: dts: exynos: Remove unneeded address space mapping for soc node")
      Signed-off-by: NMarek Szyprowski <m.szyprowski@samsung.com>
      Cc: <stable@vger.kernel.org> # 5.3.x: 72ddcf6aa224 arm64: dts: exynos: Move GPU under /soc node for Exynos5433
      Cc: <stable@vger.kernel.org> # 5.3.x: ede87c3a2bdb arm64: dts: exynos: Move GPU under /soc node for Exynos7
      Cc: <stable@vger.kernel.org> # 4.18.x
      Tested-by: NAlim Akhtar <alim.akhtar@samsung.com>
      Signed-off-by: NKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8d9825d
    • D
      drm/i810: Prevent underflow in ioctl · 9a0511ab
      Dan Carpenter 提交于
      commit 4f69851fbaa26b155330be35ce8ac393e93e7442 upstream.
      
      The "used" variables here come from the user in the ioctl and it can be
      negative.  It could result in an out of bounds write.
      Signed-off-by: NDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: NChris Wilson <chris@chris-wilson.co.uk>
      Signed-off-by: NChris Wilson <chris@chris-wilson.co.uk>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191004102251.GC823@mwanda
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9a0511ab
    • J
      drm/msm: fix memleak on release · 8e47f51a
      Johan Hovold 提交于
      commit a64fc11b9a520c55ca34d82e5ca32274f49b6b15 upstream.
      
      If a process is interrupted while accessing the "gpu" debugfs file and
      the drm device struct_mutex is contended, release() could return early
      and fail to free related resources.
      
      Note that the return value from release() is ignored.
      
      Fixes: 4f776f45 ("drm/msm/gpu: Convert the GPU show function to use the GPU state")
      Cc: stable <stable@vger.kernel.org>     # 4.18
      Cc: Jordan Crouse <jcrouse@codeaurora.org>
      Cc: Rob Clark <robdclark@gmail.com>
      Reviewed-by: NRob Clark <robdclark@gmail.com>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NSean Paul <seanpaul@chromium.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191010131333.23635-2-johan@kernel.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8e47f51a
    • J
      jbd2: Fix possible overflow in jbd2_log_space_left() · 3152fcd4
      Jan Kara 提交于
      commit add3efdd78b8a0478ce423bb9d4df6bd95e8b335 upstream.
      
      When number of free space in the journal is very low, the arithmetic in
      jbd2_log_space_left() could underflow resulting in very high number of
      free blocks and thus triggering assertion failure in transaction commit
      code complaining there's not enough space in the journal:
      
      J_ASSERT(journal->j_free > 1);
      
      Properly check for the low number of free blocks.
      
      CC: stable@vger.kernel.org
      Reviewed-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NJan Kara <jack@suse.cz>
      Link: https://lore.kernel.org/r/20191105164437.32602-1-jack@suse.czSigned-off-by: NTheodore Ts'o <tytso@mit.edu>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3152fcd4
    • T
      kernfs: fix ino wrap-around detection · 18493bac
      Tejun Heo 提交于
      commit e23f568aa63f64cd6b355094224cc9356c0f696b upstream.
      
      When the 32bit ino wraps around, kernfs increments the generation
      number to distinguish reused ino instances.  The wrap-around detection
      tests whether the allocated ino is lower than what the cursor but the
      cursor is pointing to the next ino to allocate so the condition never
      triggers.
      
      Fix it by remembering the last ino and comparing against that.
      Signed-off-by: NTejun Heo <tj@kernel.org>
      Reviewed-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Fixes: 4a3ef68a ("kernfs: implement i_generation")
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: stable@vger.kernel.org # v4.14+
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      18493bac
    • J
      can: slcan: Fix use-after-free Read in slcan_open · ea57322a
      Jouni Hogander 提交于
      commit 9ebd796e24008f33f06ebea5a5e6aceb68b51794 upstream.
      
      Slcan_open doesn't clean-up device which registration failed from the
      slcan_devs device list. On next open this list is iterated and freed
      device is accessed. Fix this by calling slc_free_netdev in error path.
      
      Driver/net/can/slcan.c is derived from slip.c. Use-after-free error was
      identified in slip_open by syzboz. Same bug is in slcan.c. Here is the
      trace from the Syzbot slip report:
      
      __dump_stack lib/dump_stack.c:77 [inline]
      dump_stack+0x197/0x210 lib/dump_stack.c:118
      print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
      __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
      kasan_report+0x12/0x20 mm/kasan/common.c:634
      __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
      sl_sync drivers/net/slip/slip.c:725 [inline]
      slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
      tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
      tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
      tiocsetd drivers/tty/tty_io.c:2334 [inline]
      tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
      vfs_ioctl fs/ioctl.c:46 [inline]
      file_ioctl fs/ioctl.c:509 [inline]
      do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
      ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
      __do_sys_ioctl fs/ioctl.c:720 [inline]
      __se_sys_ioctl fs/ioctl.c:718 [inline]
      __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
      do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: ed50e1600b44 ("slcan: Fix memory leak in error path")
      Cc: Wolfgang Grandegger <wg@grandegger.com>
      Cc: Marc Kleine-Budde <mkl@pengutronix.de>
      Cc: David Miller <davem@davemloft.net>
      Cc: Oliver Hartkopp <socketcan@hartkopp.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: NJouni Hogander <jouni.hogander@unikie.com>
      Cc: linux-stable <stable@vger.kernel.org> # >= v5.4
      Acked-by: NOliver Hartkopp <socketcan@hartkopp.net>
      Signed-off-by: NMarc Kleine-Budde <mkl@pengutronix.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ea57322a
    • D
      tty: vt: keyboard: reject invalid keycodes · 9eadcebe
      Dmitry Torokhov 提交于
      commit b2b2dd71e0859436d4e05b2f61f86140250ed3f8 upstream.
      
      Do not try to handle keycodes that are too big, otherwise we risk doing
      out-of-bounds writes:
      
      BUG: KASAN: global-out-of-bounds in clear_bit include/asm-generic/bitops-instrumented.h:56 [inline]
      BUG: KASAN: global-out-of-bounds in kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
      BUG: KASAN: global-out-of-bounds in kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
      Write of size 8 at addr ffffffff89a1b2d8 by task syz-executor108/1722
      ...
       kbd_keycode drivers/tty/vt/keyboard.c:1411 [inline]
       kbd_event+0xe6b/0x3790 drivers/tty/vt/keyboard.c:1495
       input_to_handler+0x3b6/0x4c0 drivers/input/input.c:118
       input_pass_values.part.0+0x2e3/0x720 drivers/input/input.c:145
       input_pass_values drivers/input/input.c:949 [inline]
       input_set_keycode+0x290/0x320 drivers/input/input.c:954
       evdev_handle_set_keycode_v2+0xc4/0x120 drivers/input/evdev.c:882
       evdev_do_ioctl drivers/input/evdev.c:1150 [inline]
      
      In this case we were dealing with a fuzzed HID device that declared over
      12K buttons, and while HID layer should not be reporting to us such big
      keycodes, we should also be defensive and reject invalid data ourselves as
      well.
      
      Reported-by: syzbot+19340dff067c2d3835c0@syzkaller.appspotmail.com
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191122204220.GA129459@dtor-wsSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9eadcebe
    • P
      CIFS: Fix SMB2 oplock break processing · d4785d88
      Pavel Shilovsky 提交于
      commit fa9c2362497fbd64788063288dc4e74daf977ebb upstream.
      
      Even when mounting modern protocol version the server may be
      configured without supporting SMB2.1 leases and the client
      uses SMB2 oplock to optimize IO performance through local caching.
      
      However there is a problem in oplock break handling that leads
      to missing a break notification on the client who has a file
      opened. It latter causes big latencies to other clients that
      are trying to open the same file.
      
      The problem reproduces when there are multiple shares from the
      same server mounted on the client. The processing code tries to
      match persistent and volatile file ids from the break notification
      with an open file but it skips all share besides the first one.
      Fix this by looking up in all shares belonging to the server that
      issued the oplock break.
      
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: NPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d4785d88
    • P
      CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks · df871e55
      Pavel Shilovsky 提交于
      commit 6f582b273ec23332074d970a7fb25bef835df71f upstream.
      
      Currently when the client creates a cifsFileInfo structure for
      a newly opened file, it allocates a list of byte-range locks
      with a pointer to the new cfile and attaches this list to the
      inode's lock list. The latter happens before initializing all
      other fields, e.g. cfile->tlink. Thus a partially initialized
      cifsFileInfo structure becomes available to other threads that
      walk through the inode's lock list. One example of such a thread
      may be an oplock break worker thread that tries to push all
      cached byte-range locks. This causes NULL-pointer dereference
      in smb2_push_mandatory_locks() when accessing cfile->tlink:
      
      [598428.945633] BUG: kernel NULL pointer dereference, address: 0000000000000038
      ...
      [598428.945749] Workqueue: cifsoplockd cifs_oplock_break [cifs]
      [598428.945793] RIP: 0010:smb2_push_mandatory_locks+0xd6/0x5a0 [cifs]
      ...
      [598428.945834] Call Trace:
      [598428.945870]  ? cifs_revalidate_mapping+0x45/0x90 [cifs]
      [598428.945901]  cifs_oplock_break+0x13d/0x450 [cifs]
      [598428.945909]  process_one_work+0x1db/0x380
      [598428.945914]  worker_thread+0x4d/0x400
      [598428.945921]  kthread+0x104/0x140
      [598428.945925]  ? process_one_work+0x380/0x380
      [598428.945931]  ? kthread_park+0x80/0x80
      [598428.945937]  ret_from_fork+0x35/0x40
      
      Fix this by reordering initialization steps of the cifsFileInfo
      structure: initialize all the fields first and then add the new
      byte-range lock list to the inode's lock list.
      
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: NPavel Shilovsky <pshilov@microsoft.com>
      Reviewed-by: NAurelien Aptel <aaptel@suse.com>
      Signed-off-by: NSteve French <stfrench@microsoft.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      df871e55
    • N
      xfrm interface: fix management of phydev · 153bd256
      Nicolas Dichtel 提交于
      commit 22d6552f827ef76ade3edf6bbb3f05048a0a7d8b upstream.
      
      With the current implementation, phydev cannot be removed:
      
      $ ip link add dummy type dummy
      $ ip link add xfrm1 type xfrm dev dummy if_id 1
      $ ip l d dummy
       kernel:[77938.465445] unregister_netdevice: waiting for dummy to become free. Usage count = 1
      
      Manage it like in ip tunnels, ie just keep the ifindex. Not that the side
      effect, is that the phydev is now optional.
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: NJulien Floret <julien.floret@6wind.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      153bd256
    • N
      xfrm interface: fix list corruption for x-netns · cbb62978
      Nicolas Dichtel 提交于
      commit c5d1030f23002430c2a336b2b629b9d6f72b3564 upstream.
      
      dev_net(dev) is the netns of the device and xi->net is the link netns,
      where the device has been linked.
      changelink() must operate in the link netns to avoid a corruption of
      the xfrm lists.
      
      Note that xi->net and dev_net(xi->physdev) are always the same.
      
      Before the patch, the xfrmi lists may be corrupted and can later trigger a
      kernel panic.
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Reported-by: NJulien Floret <julien.floret@6wind.com>
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: NJulien Floret <julien.floret@6wind.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cbb62978
    • N
      xfrm interface: avoid corruption on changelink · f04f067a
      Nicolas Dichtel 提交于
      commit e9e7e85d75f3731079ffd77c1a66f037aef04fe7 upstream.
      
      The new parameters must not be stored in the netdev_priv() before
      validation, it may corrupt the interface. Note also that if data is NULL,
      only a memset() is done.
      
      $ ip link add xfrm1 type xfrm dev lo if_id 1
      $ ip link add xfrm2 type xfrm dev lo if_id 2
      $ ip link set xfrm1 type xfrm dev lo if_id 2
      RTNETLINK answers: File exists
      $ ip -d link list dev xfrm1
      5: xfrm1@lo: <NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
          link/none 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 68 maxmtu 1500
          xfrm if_id 0x2 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
      
      => "if_id 0x2"
      
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Tested-by: NJulien Floret <julien.floret@6wind.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f04f067a
    • N
      xfrm interface: fix memory leak on creation · 28655c63
      Nicolas Dichtel 提交于
      commit 56c5ee1a5823e9cf5288b84ae6364cb4112f8225 upstream.
      
      The following commands produce a backtrace and return an error but the xfrm
      interface is created (in the wrong netns):
      $ ip netns add foo
      $ ip netns add bar
      $ ip -n foo netns set bar 0
      $ ip -n foo link add xfrmi0 link-netnsid 0 type xfrm dev lo if_id 23
      RTNETLINK answers: Invalid argument
      $ ip -n bar link ls xfrmi0
      2: xfrmi0@lo: <NOARP,M-DOWN> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
          link/none 00:00:00:00:00:00 brd 00:00:00:00:00:00
      
      Here is the backtrace:
      [   79.879174] WARNING: CPU: 0 PID: 1178 at net/core/dev.c:8172 rollback_registered_many+0x86/0x3c1
      [   79.880260] Modules linked in: xfrm_interface nfsv3 nfs_acl auth_rpcgss nfsv4 nfs lockd grace sunrpc fscache button parport_pc parport serio_raw evdev pcspkr loop ext4 crc16 mbcache jbd2 crc32c_generic ide_cd_mod ide_gd_mod cdrom ata_$
      eneric ata_piix libata scsi_mod 8139too piix psmouse i2c_piix4 ide_core 8139cp mii i2c_core floppy
      [   79.883698] CPU: 0 PID: 1178 Comm: ip Not tainted 5.2.0-rc6+ #106
      [   79.884462] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [   79.885447] RIP: 0010:rollback_registered_many+0x86/0x3c1
      [   79.886120] Code: 01 e8 d7 7d c6 ff 0f 0b 48 8b 45 00 4c 8b 20 48 8d 58 90 49 83 ec 70 48 8d 7b 70 48 39 ef 74 44 8a 83 d0 04 00 00 84 c0 75 1f <0f> 0b e8 61 cd ff ff 48 b8 00 01 00 00 00 00 ad de 48 89 43 70 66
      [   79.888667] RSP: 0018:ffffc900015ab740 EFLAGS: 00010246
      [   79.889339] RAX: ffff8882353e5700 RBX: ffff8882353e56a0 RCX: ffff8882353e5710
      [   79.890174] RDX: ffffc900015ab7e0 RSI: ffffc900015ab7e0 RDI: ffff8882353e5710
      [   79.891029] RBP: ffffc900015ab7e0 R08: ffffc900015ab7e0 R09: ffffc900015ab7e0
      [   79.891866] R10: ffffc900015ab7a0 R11: ffffffff82233fec R12: ffffc900015ab770
      [   79.892728] R13: ffffffff81eb7ec0 R14: ffff88822ed6cf00 R15: 00000000ffffffea
      [   79.893557] FS:  00007ff350f31740(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
      [   79.894581] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   79.895317] CR2: 00000000006c8580 CR3: 000000022c272000 CR4: 00000000000006f0
      [   79.896137] Call Trace:
      [   79.896464]  unregister_netdevice_many+0x12/0x6c
      [   79.896998]  __rtnl_newlink+0x6e2/0x73b
      [   79.897446]  ? __kmalloc_node_track_caller+0x15e/0x185
      [   79.898039]  ? pskb_expand_head+0x5f/0x1fe
      [   79.898556]  ? stack_access_ok+0xd/0x2c
      [   79.899009]  ? deref_stack_reg+0x12/0x20
      [   79.899462]  ? stack_access_ok+0xd/0x2c
      [   79.899927]  ? stack_access_ok+0xd/0x2c
      [   79.900404]  ? __module_text_address+0x9/0x4f
      [   79.900910]  ? is_bpf_text_address+0x5/0xc
      [   79.901390]  ? kernel_text_address+0x67/0x7b
      [   79.901884]  ? __kernel_text_address+0x1a/0x25
      [   79.902397]  ? unwind_get_return_address+0x12/0x23
      [   79.903122]  ? __cmpxchg_double_slab.isra.37+0x46/0x77
      [   79.903772]  rtnl_newlink+0x43/0x56
      [   79.904217]  rtnetlink_rcv_msg+0x200/0x24c
      
      In fact, each time a xfrm interface was created, a netdev was allocated
      by __rtnl_newlink()/rtnl_create_link() and then another one by
      xfrmi_newlink()/xfrmi_create(). Only the second one was registered, it's
      why the previous commands produce a backtrace: dev_change_net_namespace()
      was called on a netdev with reg_state set to NETREG_UNINITIALIZED (the
      first one).
      
      CC: Lorenzo Colitti <lorenzo@google.com>
      CC: Benedict Wong <benedictwong@google.com>
      CC: Steffen Klassert <steffen.klassert@secunet.com>
      CC: Shannon Nelson <shannon.nelson@oracle.com>
      CC: Antony Antony <antony@phenome.org>
      CC: Eyal Birger <eyal.birger@gmail.com>
      Fixes: f203b76d ("xfrm: Add virtual xfrm interfaces")
      Reported-by: NJulien Floret <julien.floret@6wind.com>
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NSteffen Klassert <steffen.klassert@secunet.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28655c63
    • K
      x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect · 2e5c738a
      Kai-Heng Feng 提交于
      commit 7e8ce0e2b036dbc6617184317983aea4f2c52099 upstream.
      
      The AMD FCH USB XHCI Controller advertises support for generating PME#
      while in D0.  When in D0, it does signal PME# for USB 3.0 connect events,
      but not for USB 2.0 or USB 1.1 connect events, which means the controller
      doesn't wake correctly for those events.
      
        00:10.0 USB controller [0c03]: Advanced Micro Devices, Inc. [AMD] FCH USB XHCI Controller [1022:7914] (rev 20) (prog-if 30 [XHCI])
              Subsystem: Dell FCH USB XHCI Controller [1028:087e]
              Capabilities: [50] Power Management version 3
                      Flags: PMEClk- DSI- D1- D2- AuxCurrent=0mA PME(D0+,D1-,D2-,D3hot+,D3cold+)
      
      Clear PCI_PM_CAP_PME_D0 in dev->pme_support to indicate the device will not
      assert PME# from D0 so we don't rely on it.
      
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=203673
      Link: https://lore.kernel.org/r/20190902145252.32111-1-kai.heng.feng@canonical.comSigned-off-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: NBjorn Helgaas <bhelgaas@google.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2e5c738a
    • J
      x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all() · 37d080a4
      Joerg Roedel 提交于
      commit 9a62d20027da3164a22244d9f022c0c987261687 upstream.
      
      The job of vmalloc_sync_all() is to help the lazy freeing of vmalloc()
      ranges: before such vmap ranges are reused we make sure that they are
      unmapped from every task's page tables.
      
      This is really easy on pagetable setups where the kernel page tables
      are shared between all tasks - this is the case on 32-bit kernels
      with SHARED_KERNEL_PMD = 1.
      
      But on !SHARED_KERNEL_PMD 32-bit kernels this involves iterating
      over the pgd_list and clearing all pmd entries in the pgds that
      are cleared in the init_mm.pgd, which is the reference pagetable
      that the vmalloc() code uses.
      
      In that context the current practice of vmalloc_sync_all() iterating
      until FIX_ADDR_TOP is buggy:
      
              for (address = VMALLOC_START & PMD_MASK;
                   address >= TASK_SIZE_MAX && address < FIXADDR_TOP;
                   address += PMD_SIZE) {
                      struct page *page;
      
      Because iterating up to FIXADDR_TOP will involve a lot of non-vmalloc
      address ranges:
      
      	VMALLOC -> PKMAP -> LDT -> CPU_ENTRY_AREA -> FIX_ADDR
      
      This is mostly harmless for the FIX_ADDR and CPU_ENTRY_AREA ranges
      that don't clear their pmds, but it's lethal for the LDT range,
      which relies on having different mappings in different processes,
      and 'synchronizing' them in the vmalloc sense corrupts those
      pagetable entries (clearing them).
      
      This got particularly prominent with PTI, which turns SHARED_KERNEL_PMD
      off and makes this the dominant mapping mode on 32-bit.
      
      To make LDT working again vmalloc_sync_all() must only iterate over
      the volatile parts of the kernel address range that are identical
      between all processes.
      
      So the correct check in vmalloc_sync_all() is "address < VMALLOC_END"
      to make sure the VMALLOC areas are synchronized and the LDT
      mapping is not falsely overwritten.
      
      The CPU_ENTRY_AREA and the FIXMAP area are no longer synced either,
      but this is not really a proplem since their PMDs get established
      during bootup and never change.
      
      This change fixes the ldt_gdt selftest in my setup.
      
      [ mingo: Fixed up the changelog to explain the logic and modified the
               copying to only happen up until VMALLOC_END. ]
      Reported-by: NBorislav Petkov <bp@suse.de>
      Tested-by: NBorislav Petkov <bp@suse.de>
      Signed-off-by: NJoerg Roedel <jroedel@suse.de>
      Cc: <stable@vger.kernel.org>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: hpa@zytor.com
      Fixes: 7757d607: ("x86/pti: Allow CONFIG_PAGE_TABLE_ISOLATION for x86_32")
      Link: https://lkml.kernel.org/r/20191126111119.GA110513@gmail.comSigned-off-by: NIngo Molnar <mingo@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      37d080a4