1. 21 9月, 2019 40 次提交
    • D
      ARM: 8874/1: mm: only adjust sections of valid mm structures · 5b8b6627
      Doug Berger 提交于
      [ Upstream commit c51bc12d06b3a5494fbfcbd788a8e307932a06e9 ]
      
      A timing hazard exists when an early fork/exec thread begins
      exiting and sets its mm pointer to NULL while a separate core
      tries to update the section information.
      
      This commit ensures that the mm pointer is not NULL before
      setting its section parameters. The arguments provided by
      commit 11ce4b33 ("ARM: 8672/1: mm: remove tasklist locking
      from update_sections_early()") are equally valid for not
      requiring grabbing the task_lock around this check.
      
      Fixes: 08925c2f ("ARM: 8464/1: Update all mm structures with section adjustments")
      Signed-off-by: NDoug Berger <opendmb@gmail.com>
      Acked-by: NLaura Abbott <labbott@redhat.com>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: Rob Herring <robh@kernel.org>
      Cc: "Steven Rostedt (VMware)" <rostedt@goodmis.org>
      Cc: Peng Fan <peng.fan@nxp.com>
      Cc: Geert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5b8b6627
    • W
      qed: Add cleanup in qed_slowpath_start() · b870f8af
      Wenwen Wang 提交于
      [ Upstream commit de0e4fd2f07ce3bbdb69dfb8d9426b7227451b69 ]
      
      If qed_mcp_send_drv_version() fails, no cleanup is executed, leading to
      memory leaks. To fix this issue, introduce the label 'err4' to perform the
      cleanup work before returning the error.
      Signed-off-by: NWenwen Wang <wenwen@cs.uga.edu>
      Acked-by: NSudarsana Reddy Kalluru <skalluru@marvell.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b870f8af
    • I
      xdp: unpin xdp umem pages in error path · 30881d79
      Ivan Khoronzhuk 提交于
      [ Upstream commit fb89c39455e4b49881c5a42761bd71f03d3ef888 ]
      
      Fix mem leak caused by missed unpin routine for umem pages.
      
      Fixes: 8aef7340 ("xsk: introduce xdp_umem_page")
      Signed-off-by: NIvan Khoronzhuk <ivan.khoronzhuk@linaro.org>
      Acked-by: NJonathan Lemon <jonathan.lemon@gmail.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      30881d79
    • C
      Kconfig: Fix the reference to the IDT77105 Phy driver in the description of... · 55ed0ad5
      Christophe JAILLET 提交于
      Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105
      
      [ Upstream commit cd9d4ff9b78fcd0fc4708900ba3e52e71e1a7690 ]
      
      This should be IDT77105, not IDT77015.
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      55ed0ad5
    • T
      NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup · 767877de
      Trond Myklebust 提交于
      [ Upstream commit 17d8c5d145000070c581f2a8aa01edc7998582ab ]
      
      Initialise the result count to 0 rather than initialising it to the
      argument count. The reason is that we want to ensure we record the
      I/O stats correctly in the case where an error is returned (for
      instance in the layoutstats).
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      767877de
    • T
      NFSv4: Fix return value in nfs_finish_open() · 4ac4f471
      Trond Myklebust 提交于
      [ Upstream commit 9821421a291b548ef4369c6998745baa36ddecd5 ]
      
      If the file turns out to be of the wrong type after opening, we want
      to revalidate the path and retry, so return EOPENSTALE rather than
      ESTALE.
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4ac4f471
    • T
      NFSv4: Fix return values for nfs4_file_open() · d7565d51
      Trond Myklebust 提交于
      [ Upstream commit 90cf500e338ab3f3c0f126ba37e36fb6a9058441 ]
      
      Currently, we are translating RPC level errors such as timeouts,
      as well as interrupts etc into EOPENSTALE, which forces a single
      replay of the open attempt. What we actually want to do is
      force the replay only in the cases where the returned error
      indicates that the file may have changed on the server.
      
      So the fix is to spell out the exact set of errors where we want
      to return EOPENSTALE.
      Signed-off-by: NTrond Myklebust <trond.myklebust@hammerspace.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d7565d51
    • J
      netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info · 4e5fbcb9
      Juliana Rodrigueiro 提交于
      [ Upstream commit 89a26cd4b501e9511d3cd3d22327fc76a75a38b3 ]
      
      When running a 64-bit kernel with a 32-bit iptables binary, the size of
      the xt_nfacct_match_info struct diverges.
      
          kernel: sizeof(struct xt_nfacct_match_info) : 40
          iptables: sizeof(struct xt_nfacct_match_info)) : 36
      
      Trying to append nfacct related rules results in an unhelpful message.
      Although it is suggested to look for more information in dmesg, nothing
      can be found there.
      
          # iptables -A <chain> -m nfacct --nfacct-name <acct-object>
          iptables: Invalid argument. Run `dmesg' for more information.
      
      This patch fixes the memory misalignment by enforcing 8-byte alignment
      within the struct's first revision. This solution is often used in many
      other uapi netfilter headers.
      Signed-off-by: NJuliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
      Acked-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4e5fbcb9
    • P
      netfilter: nft_flow_offload: missing netlink attribute policy · a02c676c
      Pablo Neira Ayuso 提交于
      [ Upstream commit 14c415862c0630e01712a4eeaf6159a2b1b6d2a4 ]
      
      The netlink attribute policy for NFTA_FLOW_TABLE_NAME is missing.
      
      Fixes: a3c90f7a ("netfilter: nf_tables: flow offload expression")
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a02c676c
    • T
      netfilter: ebtables: Fix argument order to ADD_COUNTER · a4fa6c68
      Todd Seidelmann 提交于
      [ Upstream commit f20faa06d83de440bec8e200870784c3458793c4 ]
      
      The ordering of arguments to the x_tables ADD_COUNTER macro
      appears to be wrong in ebtables (cf. ip_tables.c, ip6_tables.c,
      and arp_tables.c).
      
      This causes data corruption in the ebtables userspace tools
      because they get incorrect packet & byte counts from the kernel.
      
      Fixes: d72133e6 ("netfilter: ebtables: use ADD_COUNTER macro")
      Signed-off-by: NTodd Seidelmann <tseidelmann@linode.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a4fa6c68
    • P
      fpga: altera-ps-spi: Fix getting of optional confd gpio · 634dd5a4
      Phil Reid 提交于
      [ Upstream commit dec43da46f63eb71f519d963ba6832838e4262a3 ]
      
      Currently the driver does not handle EPROBE_DEFER for the confd gpio.
      Use devm_gpiod_get_optional() instead of devm_gpiod_get() and return
      error codes from altera_ps_probe().
      
      Fixes: 5692fae0 ("fpga manager: Add altera-ps-spi driver for Altera FPGAs")
      Signed-off-by: NPhil Reid <preid@electromag.com.au>
      Signed-off-by: NMoritz Fischer <mdf@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      634dd5a4
    • Q
      tools: bpftool: close prog FD before exit on showing a single program · 0d393f23
      Quentin Monnet 提交于
      [ Upstream commit d34b044038bfb0e19caa8b019910efc465f41d5f ]
      
      When showing metadata about a single program by invoking
      "bpftool prog show PROG", the file descriptor referring to the program
      is not closed before returning from the function. Let's close it.
      
      Fixes: 71bb428f ("tools: bpf: add bpftool")
      Signed-off-by: NQuentin Monnet <quentin.monnet@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Acked-by: NAndrii Nakryiko <andriin@fb.com>
      Signed-off-by: NAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0d393f23
    • I
      selftests/bpf: fix "bind{4, 6} deny specific IP & port" on s390 · c5bb0335
      Ilya Leoshkevich 提交于
      [ Upstream commit 27df5c7068bf23cab282dc64b1c9894429b3b8a0 ]
      
      "bind4 allow specific IP & port" and "bind6 deny specific IP & port"
      fail on s390 because of endianness issue: the 4 IP address bytes are
      loaded as a word and compared with a constant, but the value of this
      constant should be different on big- and little- endian machines, which
      is not the case right now.
      
      Use __bpf_constant_ntohl to generate proper value based on machine
      endianness.
      
      Fixes: 1d436885 ("selftests/bpf: Selftest for sys_bind post-hooks.")
      Signed-off-by: NIlya Leoshkevich <iii@linux.ibm.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c5bb0335
    • I
      s390/bpf: use 32-bit index for tail calls · 48d77ca1
      Ilya Leoshkevich 提交于
      [ Upstream commit 91b4db5313a2c793aabc2143efb8ed0cf0fdd097 ]
      
      "p runtime/jit: pass > 32bit index to tail_call" fails when
      bpf_jit_enable=1, because the tail call is not executed.
      
      This in turn is because the generated code assumes index is 64-bit,
      while it must be 32-bit, and as a result prog array bounds check fails,
      while it should pass. Even if bounds check would have passed, the code
      that follows uses 64-bit index to compute prog array offset.
      
      Fix by using clrj instead of clgrj for comparing index with array size,
      and also by using llgfr for truncating index to 32 bits before using it
      to compute prog array offset.
      
      Fixes: 6651ee07 ("s390/bpf: implement bpf_tail_call() helper")
      Reported-by: NYauheni Kaliuta <yauheni.kaliuta@redhat.com>
      Acked-by: NVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: NIlya Leoshkevich <iii@linux.ibm.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      48d77ca1
    • S
      bus: ti-sysc: Simplify cleanup upon failures in sysc_probe() · 999f33c2
      Suman Anna 提交于
      [ Upstream commit a304f483b6b00d42bde41c45ca52c670945348e2 ]
      
      The clocks are not yet parsed and prepared until after a successful
      sysc_get_clocks(), so there is no need to unprepare the clocks upon
      any failure of any of the prior functions in sysc_probe(). The current
      code path would have been a no-op because of the clock validity checks
      within sysc_unprepare(), but let's just simplify the cleanup path by
      returning the error directly.
      
      While at this, also fix the cleanup path for a sysc_init_resets()
      failure which is executed after the clocks are prepared.
      Signed-off-by: NSuman Anna <s-anna@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      999f33c2
    • J
      ARM: OMAP1: ams-delta-fiq: Fix missing irq_ack · 1a85d581
      Janusz Krzysztofik 提交于
      [ Upstream commit fa8397e45c64e60c80373bc19ee56e42a6bed9b6 ]
      
      Non-serio path of Amstrad Delta FIQ deferred handler depended on
      irq_ack() method provided by OMAP GPIO driver.  That method has been
      removed by commit 693de831c6e5 ("gpio: omap: remove irq_ack method").
      Remove useless code from the deferred handler and reimplement the
      missing operation inside the base FIQ handler.
      
      Should another dependency - irq_unmask() - be ever removed from the OMAP
      GPIO driver, WARN once if missing.
      Signed-off-by: NJanusz Krzysztofik <jmkrzyszt@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1a85d581
    • F
      ARM: dts: dra74x: Fix iodelay configuration for mmc3 · a8919f8d
      Faiz Abbas 提交于
      [ Upstream commit 07f9a8be66a9bd86f9eaedf8f8aeb416195adab8 ]
      
      According to the latest am572x[1] and dra74x[2] data manuals, mmc3
      default, hs, sdr12 and sdr25 modes use iodelay values given in
      MMC3_MANUAL1. Set the MODE_SELECT bit for these so that manual mode is
      selected and correct iodelay values can be configured.
      
      [1] http://www.ti.com/lit/ds/symlink/am5728.pdf
      [2] http://www.ti.com/lit/ds/symlink/dra746.pdfSigned-off-by: NFaiz Abbas <faiz_abbas@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a8919f8d
    • T
      ARM: OMAP2+: Fix omap4 errata warning on other SoCs · 2ff2bd2c
      Tony Lindgren 提交于
      [ Upstream commit 45da5e09dd32fa98c32eaafe2513db6bd75e2f4f ]
      
      We have errata i688 workaround produce warnings on SoCs other than
      omap4 and omap5:
      
      omap4_sram_init:Unable to allocate sram needed to handle errata I688
      omap4_sram_init:Unable to get sram pool needed to handle errata I688
      
      This is happening because there is no ti,omap4-mpu node, or no SRAM
      to configure for the other SoCs, so let's remove the warning based
      on the SoC revision checks.
      
      As nobody has complained it seems that the other SoC variants do not
      need this workaround.
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      2ff2bd2c
    • I
      s390/bpf: fix lcgr instruction encoding · 73d00327
      Ilya Leoshkevich 提交于
      [ Upstream commit bb2d267c448f4bc3a3389d97c56391cb779178ae ]
      
      "masking, test in bounds 3" fails on s390, because
      BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0) ignores the top 32 bits of
      BPF_REG_2. The reason is that JIT emits lcgfr instead of lcgr.
      The associated comment indicates that the code was intended to
      emit lcgr in the first place, it's just that the wrong opcode
      was used.
      
      Fix by using the correct opcode.
      
      Fixes: 05462310 ("s390/bpf: Add s390x eBPF JIT compiler backend")
      Signed-off-by: NIlya Leoshkevich <iii@linux.ibm.com>
      Acked-by: NVasily Gorbik <gor@linux.ibm.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      73d00327
    • T
      bus: ti-sysc: Fix using configured sysc mask value · c1e0937e
      Tony Lindgren 提交于
      [ Upstream commit e212abd452a4af3174fcd469d46656f83e135a19 ]
      
      We have cases where there are no softreset bits like with am335x lcdc.
      In that case ti,sysc-mask = <0> needs to be handled properly.
      Tested-by: NKeerthy <j-keerthy@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c1e0937e
    • T
      ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss · 0aee9e11
      Tony Lindgren 提交于
      [ Upstream commit afd58b162e48076e3fe66d08a69eefbd6fe71643 ]
      
      TRM says PWMSS_SYSCONFIG bit for SOFTRESET changes to zero when
      reset is completed. Let's configure it as otherwise we get warnings
      on boot when we check the data against dts provided data. Eventually
      the legacy platform data will be just dropped, but let's fix the
      warning first.
      Reviewed-by: NSuman Anna <s-anna@ti.com>
      Tested-by: NKeerthy <j-keerthy@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0aee9e11
    • F
      ARM: dts: am57xx: Disable voltage switching for SD card · f696ba6b
      Faiz Abbas 提交于
      [ Upstream commit fb59ee37cfe20d10d19568899d1458a58361246c ]
      
      If UHS speed modes are enabled, a compatible SD card switches down to
      1.8V during enumeration. If after this a software reboot/crash takes
      place and on-chip ROM tries to enumerate the SD card, the difference in
      IO voltages (host @ 3.3V and card @ 1.8V) may end up damaging the card.
      
      The fix for this is to have support for power cycling the card in
      hardware (with a PORz/soft-reset line causing a power cycle of the
      card). Because the beaglebone X15 (rev A,B and C), am57xx-idks and
      am57xx-evms don't have this capability, disable voltage switching for
      these boards.
      
      The major effect of this is that the maximum supported speed
      mode is now high speed(50 MHz) down from SDR104(200 MHz).
      
      commit 88a748419b84 ("ARM: dts: am57xx-idk: Remove support for voltage
      switching for SD card") did this only for idk boards. Do it for all
      affected boards.
      Signed-off-by: NFaiz Abbas <faiz_abbas@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f696ba6b
    • Y
      ieee802154: hwsim: unregister hw while hwsim_subscribe_all_others fails · ac8f26f6
      YueHaibing 提交于
      [ Upstream commit de166bbe861738c8bc3e5dad5b03f45d7d6ef914 ]
      
      KASAN report this:
      
      kernel BUG at net/mac802154/main.c:130!
      invalid opcode: 0000 [#1] PREEMPT SMP
      CPU: 0 PID: 19932 Comm: modprobe Not tainted 5.1.0-rc6+ #22
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
      RIP: 0010:ieee802154_free_hw+0x2a/0x30 [mac802154]
      Code: 55 48 8d 57 38 48 89 e5 53 48 89 fb 48 8b 47 38 48 39 c2 75 15 48 8d 7f 48 e8 82 85 16 e1 48 8b 7b 28 e8 f9 ef 83 e2 5b 5d c3 <0f> 0b 0f 1f 40 00 55 48 89 e5 53 48 89 fb 0f b6 86 80 00 00 00 88
      RSP: 0018:ffffc90001c7b9f0 EFLAGS: 00010206
      RAX: ffff88822df3aa80 RBX: ffff88823143d5c0 RCX: 0000000000000002
      RDX: ffff88823143d5f8 RSI: ffff88822b1fabc0 RDI: ffff88823143d5c0
      RBP: ffffc90001c7b9f8 R08: 0000000000000000 R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000000000000 R12: 00000000fffffff4
      R13: ffff88822dea4f50 R14: ffff88823143d7c0 R15: 00000000fffffff4
      FS: 00007ff52e999540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
      CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fdc06dba768 CR3: 000000023160a000 CR4: 00000000000006f0
      Call Trace:
       hwsim_add_one+0x2dd/0x540 [mac802154_hwsim]
       hwsim_probe+0x2f/0xb0 [mac802154_hwsim]
       platform_drv_probe+0x3a/0x90
       ? driver_sysfs_add+0x79/0xb0
       really_probe+0x1d4/0x2d0
       driver_probe_device+0x50/0xf0
       device_driver_attach+0x54/0x60
       __driver_attach+0x7e/0xd0
       ? device_driver_attach+0x60/0x60
       bus_for_each_dev+0x68/0xc0
       driver_attach+0x19/0x20
       bus_add_driver+0x15e/0x200
       driver_register+0x5b/0xf0
       __platform_driver_register+0x31/0x40
       hwsim_init_module+0x74/0x1000 [mac802154_hwsim]
       ? 0xffffffffa00e9000
       do_one_initcall+0x6c/0x3cc
       ? kmem_cache_alloc_trace+0x248/0x3b0
       do_init_module+0x5b/0x1f1
       load_module+0x1db1/0x2690
       ? m_show+0x1d0/0x1d0
       __do_sys_finit_module+0xc5/0xd0
       __x64_sys_finit_module+0x15/0x20
       do_syscall_64+0x6b/0x1d0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x7ff52e4a2839
      Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 1f f6 2c 00 f7 d8 64 89 01 48
      RSP: 002b:00007ffffa7b3c08 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 00005647560a2a00 RCX: 00007ff52e4a2839
      RDX: 0000000000000000 RSI: 00005647547f3c2e RDI: 0000000000000003
      RBP: 00005647547f3c2e R08: 0000000000000000 R09: 00005647560a2a00
      R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000
      R13: 00005647560a2c10 R14: 0000000000040000 R15: 00005647560a2a00
      Modules linked in: mac802154_hwsim(+) mac802154 [last unloaded: mac802154_hwsim]
      
      In hwsim_add_one, if hwsim_subscribe_all_others fails, we
      should call ieee802154_unregister_hw to free resources.
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: f25da51f ("ieee802154: hwsim: add replacement for fakelb")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Acked-by: NAlexander Aring <aring@mojatatu.com>
      Signed-off-by: NStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ac8f26f6
    • Y
      ieee802154: hwsim: Fix error handle path in hwsim_init_module · c237a050
      YueHaibing 提交于
      [ Upstream commit 1cbbbf39efab05fae67f59e6ed01bb85061c69e2 ]
      
      KASAN report this:
      
      BUG: unable to handle kernel paging request at fffffbfff834f001
      PGD 237fe8067 P4D 237fe8067 PUD 237e64067 PMD 1c968d067 PTE 0
      Oops: 0000 [#1] SMP KASAN PTI
      CPU: 1 PID: 8871 Comm: syz-executor.0 Tainted: G         C        5.0.0+ #5
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:strcmp+0x31/0xa0 lib/string.c:328
      Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
      RSP: 0018:ffff8881e0c57800 EFLAGS: 00010246
      RAX: 1ffffffff834f001 RBX: ffffffffc1a78000 RCX: ffffffff827b9503
      RDX: 0000000000000000 RSI: ffffffffc1a40008 RDI: ffffffffc1a78008
      RBP: ffffffffc1a78009 R08: fffffbfff6a92195 R09: fffffbfff6a92195
      R10: ffff8881e0c578b8 R11: fffffbfff6a92194 R12: ffffffffc1a40008
      R13: dffffc0000000000 R14: ffffffffc1a3e470 R15: ffffffffc1a40000
      FS:  00007fdcc02ff700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: fffffbfff834f001 CR3: 00000001b3134003 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      Call Trace:
       genl_family_find_byname+0x7f/0xf0 net/netlink/genetlink.c:104
       genl_register_family+0x1e1/0x1070 net/netlink/genetlink.c:333
       ? 0xffffffffc1978000
       hwsim_init_module+0x6a/0x1000 [mac802154_hwsim]
       ? 0xffffffffc1978000
       ? 0xffffffffc1978000
       ? 0xffffffffc1978000
       do_one_initcall+0xbc/0x47d init/main.c:887
       do_init_module+0x1b5/0x547 kernel/module.c:3456
       load_module+0x6405/0x8c10 kernel/module.c:3804
       __do_sys_finit_module+0x162/0x190 kernel/module.c:3898
       do_syscall_64+0x9f/0x450 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x462e99
      Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fdcc02fec58 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
      RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462e99
      RDX: 0000000000000000 RSI: 0000000020000200 RDI: 0000000000000003
      RBP: 00007fdcc02fec70 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007fdcc02ff6bc
      R13: 00000000004bcefa R14: 00000000006f6fb0 R15: 0000000000000004
      Modules linked in: mac802154_hwsim(+) mac802154 ieee802154 speakup(C) rc_proteus_2309 rtc_rk808 streebog_generic rds vboxguest madera_spi madera da9052_wdt mISDN_core ueagle_atm usbatm atm ir_imon_decoder scsi_transport_sas rc_dntv_live_dvb_t panel_samsung_s6d16d0 drm drm_panel_orientation_quirks lib80211 fb_agm1264k_fl(C) gspca_pac7302 gspca_main videobuf2_v4l2 soundwire_intel_init i2c_dln2 dln2 usbcore hid_gaff 88pm8607 nfnetlink axp20x_i2c axp20x uio pata_marvell pmbus_core snd_sonicvibes gameport snd_pcm snd_opl3_lib snd_timer snd_hwdep snd_mpu401_uart snd_rawmidi snd_seq_device snd soundcore rtc_ds1511 rtc_ds1742 vsock dwc_xlgmac rtc_rx8010 libphy twofish_x86_64_3way twofish_x86_64 twofish_common ad5696_i2c ad5686 lp8788_charger cxd2880_spi dvb_core videobuf2_common videodev media videobuf2_vmalloc videobuf2_memops fbtft(C) sysimgblt sysfillrect syscopyarea fb_sys_fops janz_ican3 firewire_net firewire_core crc_itu_t spi_slave_system_control i2c_matroxfb i2c_algo_bit
       matroxfb_base fb fbdev matroxfb_DAC1064 matroxfb_accel cfbcopyarea cfbimgblt cfbfillrect matroxfb_Ti3026 matroxfb_g450 g450_pll matroxfb_misc leds_blinkm ti_dac7311 intel_spi_pci intel_spi spi_nor hid_elan hid async_tx rc_cinergy_1400 rc_core intel_ishtp kxcjk_1013 industrialio_triggered_buffer kfifo_buf can_dev intel_th spi_pxa2xx_platform pata_artop vme_ca91cx42 gb_gbphy(C) greybus(C) industrialio mptbase st_drv cmac ttpci_eeprom via_wdt gpio_xra1403 mtd iptable_security iptable_raw iptable_mangle iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_filter bpfilter ip6_vti ip_vti ip_gre ipip sit tunnel4 ip_tunnel hsr veth netdevsim vxcan batman_adv cfg80211 rfkill chnl_net caif nlmon dummy team bonding vcan bridge stp llc ip6_gre gre ip6_tunnel tunnel6 tun joydev mousedev ppdev kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul crc32c_intel ghash_clmulni_intel aesni_intel aes_x86_64 input_leds crypto_simd cryptd glue_helper ide_pci_generic piix psmouse
       ide_core serio_raw ata_generic i2c_piix4 pata_acpi parport_pc parport floppy rtc_cmos intel_agp intel_gtt agpgart sch_fq_codel ip_tables x_tables sha1_ssse3 sha1_generic ipv6 [last unloaded: speakup]
      Dumping ftrace buffer:
         (ftrace buffer empty)
      CR2: fffffbfff834f001
      ---[ end trace 5aa772c793e0e971 ]---
      RIP: 0010:strcmp+0x31/0xa0 lib/string.c:328
      Code: 00 00 00 00 fc ff df 55 53 48 83 ec 08 eb 0a 84 db 48 89 ef 74 5a 4c 89 e6 48 89 f8 48 89 fa 48 8d 6f 01 48 c1 e8 03 83 e2 07 <42> 0f b6 04 28 38 d0 7f 04 84 c0 75 50 48 89 f0 48 89 f2 0f b6 5d
      RSP: 0018:ffff8881e0c57800 EFLAGS: 00010246
      RAX: 1ffffffff834f001 RBX: ffffffffc1a78000 RCX: ffffffff827b9503
      RDX: 0000000000000000 RSI: ffffffffc1a40008 RDI: ffffffffc1a78008
      RBP: ffffffffc1a78009 R08: fffffbfff6a92195 R09: fffffbfff6a92195
      R10: ffff8881e0c578b8 R11: fffffbfff6a92194 R12: ffffffffc1a40008
      R13: dffffc0000000000 R14: ffffffffc1a3e470 R15: ffffffffc1a40000
      FS:  00007fdcc02ff700(0000) GS:ffff8881f7300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: fffffbfff834f001 CR3: 00000001b3134003 CR4: 00000000007606e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      PKRU: 55555554
      
      The error handing path misplace the cleanup in hwsim_init_module,
      switch the two cleanup functions to fix above issues.
      Reported-by: NHulk Robot <hulkci@huawei.com>
      Fixes: f25da51f ("ieee802154: hwsim: add replacement for fakelb")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Acked-by: NAlexander Aring <aring@mojatatu.com>
      Signed-off-by: NStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c237a050
    • M
      nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds · 6a10e87f
      Masashi Honma 提交于
      commit 4b2c5a14cd8005a900075f7dfec87473c6ee66fb upstream.
      
      commit 1222a160 ("nl80211: Fix possible Spectre-v1 for CQM
      RSSI thresholds") was incomplete and requires one more fix to
      prevent accessing to rssi_thresholds[n] because user can control
      rssi_thresholds[i] values to make i reach to n. For example,
      rssi_thresholds = {-400, -300, -200, -100} when last is -34.
      
      Cc: stable@vger.kernel.org
      Fixes: 1222a160 ("nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds")
      Reported-by: NDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: NMasashi Honma <masashi.honma@gmail.com>
      Link: https://lore.kernel.org/r/20190908005653.17433-1-masashi.honma@gmail.comSigned-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6a10e87f
    • W
      mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings · 941431c4
      Wen Huang 提交于
      commit 7caac62ed598a196d6ddf8d9c121e12e082cac3a upstream.
      
      mwifiex_update_vs_ie(),mwifiex_set_uap_rates() and
      mwifiex_set_wmm_params() call memcpy() without checking
      the destination size.Since the source is given from
      user-space, this may trigger a heap buffer overflow.
      
      Fix them by putting the length check before performing memcpy().
      
      This fix addresses CVE-2019-14814,CVE-2019-14815,CVE-2019-14816.
      Signed-off-by: NWen Huang <huangwenabc@gmail.com>
      Acked-by: NGanapathi Bhat <gbhat@marvell.comg>
      Signed-off-by: NKalle Valo <kvalo@codeaurora.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      941431c4
    • R
      tty/serial: atmel: reschedule TX after RX was started · 770cee24
      Razvan Stefanescu 提交于
      commit d2ace81bf902a9f11d52e59e5d232d2255a0e353 upstream.
      
      When half-duplex RS485 communication is used, after RX is started, TX
      tasklet still needs to be  scheduled tasklet. This avoids console freezing
      when more data is to be transmitted, if the serial communication is not
      closed.
      
      Fixes: 69646d7a3689 ("tty/serial: atmel: RS485 HD w/DMA: enable RX after TX is stopped")
      Signed-off-by: NRazvan Stefanescu <razvan.stefanescu@microchip.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20190813074025.16218-1-razvan.stefanescu@microchip.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      770cee24
    • C
      serial: sprd: correct the wrong sequence of arguments · 4c2f60ed
      Chunyan Zhang 提交于
      commit 9c801e313195addaf11c16e155f50789d6ebfd19 upstream.
      
      The sequence of arguments which was passed to handle_lsr_errors() didn't
      match the parameters defined in that function, &lsr was passed to flag
      and &flag was passed to lsr, this patch fixed that.
      
      Fixes: b7396a38 ("tty/serial: Add Spreadtrum sc9836-uart driver support")
      Signed-off-by: NChunyan Zhang <chunyan.zhang@unisoc.com>
      Signed-off-by: NChunyan Zhang <zhang.lyra@gmail.com>
      Cc: stable <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20190905074151.5268-1-zhang.lyra@gmail.comSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4c2f60ed
    • H
      firmware: google: check if size is valid when decoding VPD data · 28716215
      Hung-Te Lin 提交于
      commit 4b708b7b1a2c09fbdfff6b942ebe3a160213aacd upstream.
      
      The VPD implementation from Chromium Vital Product Data project used to
      parse data from untrusted input without checking if the meta data is
      invalid or corrupted. For example, the size from decoded content may
      be negative value, or larger than whole input buffer. Such invalid data
      may cause buffer overflow.
      
      To fix that, the size parameters passed to vpd_decode functions should
      be changed to unsigned integer (u32) type, and the parsing of entry
      header should be refactored so every size field is correctly verified
      before starting to decode.
      
      Fixes: ad2ac9d5 ("firmware: Google VPD: import lib_vpd source files")
      Signed-off-by: NHung-Te Lin <hungte@chromium.org>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: NGuenter Roeck <linux@roeck-us.net>
      Reviewed-by: NStephen Boyd <swboyd@chromium.org>
      Link: https://lore.kernel.org/r/20190830022402.214442-1-hungte@chromium.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28716215
    • M
      KVM: coalesced_mmio: add bounds checking · 232a6462
      Matt Delco 提交于
      commit b60fe990c6b07ef6d4df67bc0530c7c90a62623a upstream.
      
      The first/last indexes are typically shared with a user app.
      The app can change the 'last' index that the kernel uses
      to store the next result.  This change sanity checks the index
      before using it for writing to a potentially arbitrary address.
      
      This fixes CVE-2019-14821.
      
      Cc: stable@vger.kernel.org
      Fixes: 5f94c174 ("KVM: Add coalesced MMIO support (common part)")
      Signed-off-by: NMatt Delco <delco@chromium.org>
      Signed-off-by: NJim Mattson <jmattson@google.com>
      Reported-by: syzbot+983c866c3dd6efa3662a@syzkaller.appspotmail.com
      [Use READ_ONCE. - Paolo]
      Signed-off-by: NPaolo Bonzini <pbonzini@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      232a6462
    • C
      net_sched: let qdisc_put() accept NULL pointer · 7a1bad56
      Cong Wang 提交于
      [ Upstream commit 6efb971ba8edfbd80b666f29de12882852f095ae ]
      
      When tcf_block_get() fails in sfb_init(), q->qdisc is still a NULL
      pointer which leads to a crash in sfb_destroy(). Similar for
      sch_dsmark.
      
      Instead of fixing each separately, Linus suggested to just accept
      NULL pointer in qdisc_put(), which would make callers easier.
      
      (For sch_dsmark, the bug probably exists long before commit
      6529eaba.)
      
      Fixes: 6529eaba ("net: sched: introduce tcf block infractructure")
      Reported-by: syzbot+d5870a903591faaca4ae@syzkaller.appspotmail.com
      Suggested-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Acked-by: NJiri Pirko <jiri@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7a1bad56
    • D
      xen-netfront: do not assume sk_buff_head list is empty in error handling · 47288968
      Dongli Zhang 提交于
      [ Upstream commit 00b368502d18f790ab715e055869fd4bb7484a9b ]
      
      When skb_shinfo(skb) is not able to cache extra fragment (that is,
      skb_shinfo(skb)->nr_frags >= MAX_SKB_FRAGS), xennet_fill_frags() assumes
      the sk_buff_head list is already empty. As a result, cons is increased only
      by 1 and returns to error handling path in xennet_poll().
      
      However, if the sk_buff_head list is not empty, queue->rx.rsp_cons may be
      set incorrectly. That is, queue->rx.rsp_cons would point to the rx ring
      buffer entries whose queue->rx_skbs[i] and queue->grant_rx_ref[i] are
      already cleared to NULL. This leads to NULL pointer access in the next
      iteration to process rx ring buffer entries.
      
      Below is how xennet_poll() does error handling. All remaining entries in
      tmpq are accounted to queue->rx.rsp_cons without assuming how many
      outstanding skbs are remained in the list.
      
       985 static int xennet_poll(struct napi_struct *napi, int budget)
      ... ...
      1032           if (unlikely(xennet_set_skb_gso(skb, gso))) {
      1033                   __skb_queue_head(&tmpq, skb);
      1034                   queue->rx.rsp_cons += skb_queue_len(&tmpq);
      1035                   goto err;
      1036           }
      
      It is better to always have the error handling in the same way.
      
      Fixes: ad4f15dc ("xen/netfront: don't bug in case of too many frags")
      Signed-off-by: NDongli Zhang <dongli.zhang@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47288968
    • W
      udp: correct reuseport selection with connected sockets · fdd60d80
      Willem de Bruijn 提交于
      [ Upstream commit acdcecc61285faed359f1a3568c32089cc3a8329 ]
      
      UDP reuseport groups can hold a mix unconnected and connected sockets.
      Ensure that connections only receive all traffic to their 4-tuple.
      
      Fast reuseport returns on the first reuseport match on the assumption
      that all matches are equal. Only if connections are present, return to
      the previous behavior of scoring all sockets.
      
      Record if connections are present and if so (1) treat such connected
      sockets as an independent match from the group, (2) only return
      2-tuple matches from reuseport and (3) do not return on the first
      2-tuple reuseport match to allow for a higher scoring match later.
      
      New field has_conns is set without locks. No other fields in the
      bitmap are modified at runtime and the field is only ever set
      unconditionally, so an RMW cannot miss a change.
      
      Fixes: e32ea7e7 ("soreuseport: fast reuseport UDP socket selection")
      Link: http://lkml.kernel.org/r/CA+FuTSfRP09aJNYRt04SS6qj22ViiOEWaWmLAwX0psk8-PGNxw@mail.gmail.comSigned-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NPaolo Abeni <pabeni@redhat.com>
      Acked-by: NCraig Gallek <kraig@google.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fdd60d80
    • X
      ip6_gre: fix a dst leak in ip6erspan_tunnel_xmit · 97b5f8c9
      Xin Long 提交于
      [ Upstream commit 28e486037747c2180470b77c290d4090ad42f259 ]
      
      In ip6erspan_tunnel_xmit(), if the skb will not be sent out, it has to
      be freed on the tx_err path. Otherwise when deleting a netns, it would
      cause dst/dev to leak, and dmesg shows:
      
        unregister_netdevice: waiting for lo to become free. Usage count = 1
      
      Fixes: ef7baf5e ("ip6_gre: add ip6 erspan collect_md mode")
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NWilliam Tu <u9012063@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      97b5f8c9
    • Y
      phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current · 4fb95f29
      Yoshihiro Shimoda 提交于
      commit e6839c31a608e79f2057fab987dd814f5d3477e6 upstream.
      
      The hardware manual should be revised, but the initial value of
      VBCTRL.OCCLREN is set to 1 actually. If the bit is set, the hardware
      clears VBCTRL.VBOUT and ADPCTRL.DRVVBUS registers automatically
      when the hardware detects over-current signal from a USB power switch.
      However, since the hardware doesn't have any registers which
      indicates over-current, the driver cannot handle it at all. So, if
      "is_otg_channel" hardware detects over-current, since ADPCTRL.DRVVBUS
      register is cleared automatically, the channel cannot be used after
      that.
      
      To resolve this behavior, this patch sets the VBCTRL.OCCLREN to 0
      to keep ADPCTRL.DRVVBUS even if the "is_otg_channel" hardware
      detects over-current. (We assume a USB power switch itself protects
      over-current and turns the VBUS off.)
      
      This patch is inspired by a BSP patch from Kazuya Mizuguchi.
      
      Fixes: 1114e2d3 ("phy: rcar-gen3-usb2: change the mode to OTG on the combined channel")
      Cc: <stable@vger.kernel.org> # v4.5+
      Signed-off-by: NYoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
      Signed-off-by: NKishon Vijay Abraham I <kishon@ti.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4fb95f29
    • S
      media: tm6000: double free if usb disconnect while streaming · abf389e0
      Sean Young 提交于
      commit 699bf94114151aae4dceb2d9dbf1a6312839dcae upstream.
      
      The usb_bulk_urb will kfree'd on disconnect, so ensure the pointer is set
      to NULL after each free.
      
      stop stream
      urb killing
      urb buffer free
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start stream request tm6000_start_stream
      tm6000: pipe reset
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: got start feed request tm6000_start_feed
      tm6000: IR URB failure: status: -71, length 0
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      xhci_hcd 0000:00:14.0: ERROR unknown event type 37
      tm6000:  error tm6000_urb_received
      usb 1-2: USB disconnect, device number 5
      tm6000: disconnecting tm6000 #0
      ==================================================================
      BUG: KASAN: use-after-free in dvb_fini+0x75/0x140 [tm6000_dvb]
      Read of size 8 at addr ffff888241044060 by task kworker/2:0/22
      
      CPU: 2 PID: 22 Comm: kworker/2:0 Tainted: G        W         5.3.0-rc4+ #1
      Hardware name: LENOVO 20KHCTO1WW/20KHCTO1WW, BIOS N23ET65W (1.40 ) 07/02/2019
      Workqueue: usb_hub_wq hub_event
      Call Trace:
       dump_stack+0x9a/0xf0
       print_address_description.cold+0xae/0x34f
       __kasan_report.cold+0x75/0x93
       ? tm6000_fillbuf+0x390/0x3c0 [tm6000_alsa]
       ? dvb_fini+0x75/0x140 [tm6000_dvb]
       kasan_report+0xe/0x12
       dvb_fini+0x75/0x140 [tm6000_dvb]
       tm6000_close_extension+0x51/0x80 [tm6000]
       tm6000_usb_disconnect.cold+0xd4/0x105 [tm6000]
       usb_unbind_interface+0xe4/0x390
       device_release_driver_internal+0x121/0x250
       bus_remove_device+0x197/0x260
       device_del+0x268/0x550
       ? __device_links_no_driver+0xd0/0xd0
       ? usb_remove_ep_devs+0x30/0x3b
       usb_disable_device+0x122/0x400
       usb_disconnect+0x153/0x430
       hub_event+0x800/0x1e40
       ? trace_hardirqs_on_thunk+0x1a/0x20
       ? hub_port_debounce+0x1f0/0x1f0
       ? retint_kernel+0x10/0x10
       ? lock_is_held_type+0xf1/0x130
       ? hub_port_debounce+0x1f0/0x1f0
       ? process_one_work+0x4ae/0xa00
       process_one_work+0x4ba/0xa00
       ? pwq_dec_nr_in_flight+0x160/0x160
       ? do_raw_spin_lock+0x10a/0x1d0
       worker_thread+0x7a/0x5c0
       ? process_one_work+0xa00/0xa00
       kthread+0x1d5/0x200
       ? kthread_create_worker_on_cpu+0xd0/0xd0
       ret_from_fork+0x3a/0x50
      
      Allocated by task 2682:
       save_stack+0x1b/0x80
       __kasan_kmalloc.constprop.0+0xc2/0xd0
       usb_alloc_urb+0x28/0x60
       tm6000_start_feed+0x10a/0x300 [tm6000_dvb]
       dmx_ts_feed_start_filtering+0x86/0x120 [dvb_core]
       dvb_dmxdev_start_feed+0x121/0x180 [dvb_core]
       dvb_dmxdev_filter_start+0xcb/0x540 [dvb_core]
       dvb_demux_do_ioctl+0x7ed/0x890 [dvb_core]
       dvb_usercopy+0x97/0x1f0 [dvb_core]
       dvb_demux_ioctl+0x11/0x20 [dvb_core]
       do_vfs_ioctl+0x5d8/0x9d0
       ksys_ioctl+0x5e/0x90
       __x64_sys_ioctl+0x3d/0x50
       do_syscall_64+0x74/0xe0
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Freed by task 22:
       save_stack+0x1b/0x80
       __kasan_slab_free+0x12c/0x170
       kfree+0xfd/0x3a0
       xhci_giveback_urb_in_irq+0xfe/0x230
       xhci_td_cleanup+0x276/0x340
       xhci_irq+0x1129/0x3720
       __handle_irq_event_percpu+0x6e/0x420
       handle_irq_event_percpu+0x6f/0x100
       handle_irq_event+0x55/0x84
       handle_edge_irq+0x108/0x3b0
       handle_irq+0x2e/0x40
       do_IRQ+0x83/0x1a0
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NSean Young <sean@mess.org>
      Signed-off-by: NMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      abf389e0
    • A
      USB: usbcore: Fix slab-out-of-bounds bug during device reset · 77d4e2a0
      Alan Stern 提交于
      commit 3dd550a2d36596a1b0ee7955da3b611c031d3873 upstream.
      
      The syzbot fuzzer provoked a slab-out-of-bounds error in the USB core:
      
      BUG: KASAN: slab-out-of-bounds in memcmp+0xa6/0xb0 lib/string.c:904
      Read of size 1 at addr ffff8881d175bed6 by task kworker/0:3/2746
      
      CPU: 0 PID: 2746 Comm: kworker/0:3 Not tainted 5.3.0-rc5+ #28
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x6a/0x32c mm/kasan/report.c:351
        __kasan_report.cold+0x1a/0x33 mm/kasan/report.c:482
        kasan_report+0xe/0x12 mm/kasan/common.c:612
        memcmp+0xa6/0xb0 lib/string.c:904
        memcmp include/linux/string.h:400 [inline]
        descriptors_changed drivers/usb/core/hub.c:5579 [inline]
        usb_reset_and_verify_device+0x564/0x1300 drivers/usb/core/hub.c:5729
        usb_reset_device+0x4c1/0x920 drivers/usb/core/hub.c:5898
        rt2x00usb_probe+0x53/0x7af
      drivers/net/wireless/ralink/rt2x00/rt2x00usb.c:806
      
      The error occurs when the descriptors_changed() routine (called during
      a device reset) attempts to compare the old and new BOS and capability
      descriptors.  The length it uses for the comparison is the
      wTotalLength value stored in BOS descriptor, but this value is not
      necessarily the same as the length actually allocated for the
      descriptors.  If it is larger the routine will call memcmp() with a
      length that is too big, thus reading beyond the end of the allocated
      region and leading to this fault.
      
      The kernel reads the BOS descriptor twice: first to get the total
      length of all the capability descriptors, and second to read it along
      with all those other descriptors.  A malicious (or very faulty) device
      may send different values for the BOS descriptor fields each time.
      The memory area will be allocated using the wTotalLength value read
      the first time, but stored within it will be the value read the second
      time.
      
      To prevent this possibility from causing any errors, this patch
      modifies the BOS descriptor after it has been read the second time:
      It sets the wTotalLength field to the actual length of the descriptors
      that were read in and validated.  Then the memcpy() call, or any other
      code using these descriptors, will be able to rely on wTotalLength
      being valid.
      
      Reported-and-tested-by: syzbot+35f4d916c623118d576e@syzkaller.appspotmail.com
      Signed-off-by: NAlan Stern <stern@rowland.harvard.edu>
      CC: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.1909041154260.1722-100000@iolanthe.rowland.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      77d4e2a0
    • A
      powerpc/mm/radix: Use the right page size for vmemmap mapping · b01b1eb2
      Aneesh Kumar K.V 提交于
      commit 89a3496e0664577043666791ec07fb731d57c950 upstream.
      
      We use mmu_vmemmap_psize to find the page size for mapping the vmmemap area.
      With radix translation, we are suboptimally setting this value to PAGE_SIZE.
      
      We do check for 2M page size support and update mmu_vmemap_psize to use
      hugepage size but we suboptimally reset the value to PAGE_SIZE in
      radix__early_init_mmu(). This resulted in always mapping vmemmap area with
      64K page size.
      
      Fixes: 2bfd65e4 ("powerpc/mm/radix: Add radix callbacks for early init routines")
      Signed-off-by: NAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b01b1eb2
    • B
      Input: elan_i2c - remove Lenovo Legion Y7000 PnpID · 289f3c82
      Benjamin Tissoires 提交于
      commit 0c043d70d04711fe6c380df9065fdc44192c49bf upstream.
      
      Looks like the Bios of the Lenovo Legion Y7000 is using ELAN061B
      when the actual device is supposed to be used with hid-multitouch.
      
      Remove it from the list of the supported device, hoping that
      no one will complain about the loss in functionality.
      
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=203467
      Fixes: 738c06d0e456 ("Input: elan_i2c - add hardware ID for multiple Lenovo laptops")
      Signed-off-by: NBenjamin Tissoires <benjamin.tissoires@redhat.com>
      Signed-off-by: NDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      289f3c82
    • L
      RDMA/restrack: Release task struct which was hold by CM_ID object · 305c3b49
      Leon Romanovsky 提交于
      commit ed7a01fd3fd77f40b4ef2562b966a5decd8928d2 upstream.
      
      Tracking CM_ID resource is performed in two stages: creation of cm_id
      and connecting it to the cma_dev. It is needed because rdma-cm protocol
      exports two separate user-visible calls rdma_create_id and rdma_accept.
      
      At the time of CM_ID creation, the real owner of that object is unknown
      yet and we need to grab task_struct. This task_struct is released or
      reassigned in attach phase later on. but call to rdma_destroy_id left
      this task_struct unreleased.
      
      Such separation is unique to CM_ID and other restrack objects initialize
      in one shot. It means that it is safe to use "res->valid" check to catch
      unfinished CM_ID flow and release task_struct for that object.
      
      Fixes: 00313983 ("RDMA/nldev: provide detailed CM_ID information")
      Reported-by: NArtemy Kovalyov <artemyko@mellanox.com>
      Reviewed-by: NArtemy Kovalyov <artemyko@mellanox.com>
      Reviewed-by: NYossi Itigin <yosefe@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Reviewed-by: NSteve Wise <swise@opengridcomputing.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Cc: Håkon Bugge <haakon.bugge@oracle.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      305c3b49