1. 10 11月, 2019 25 次提交
  2. 06 11月, 2019 15 次提交
    • G
      Linux 4.19.82 · 5ee93551
      Greg Kroah-Hartman 提交于
      5ee93551
    • T
      Revert "ALSA: hda: Flush interrupts on disabling" · 914a7d42
      Takashi Iwai 提交于
      [ Upstream commit 1a7f60b9df614bb36d14dc0c0bc898a31b2b506f ]
      
      This reverts commit caa8422d01e983782548648e125fd617cadcec3f.
      
      It turned out that this commit caused a regression at shutdown /
      reboot, as the synchronize_irq() calls seems blocking the whole
      shutdown.  Also another part of the change about shuffling the call
      order looks suspicious; the azx_stop_chip() call disables the CORB /
      RIRB while the others may still need the CORB/RIRB update.
      
      Since the original commit itself was a cargo-fix, let's revert the
      whole patch.
      
      Fixes: caa8422d01e9 ("ALSA: hda: Flush interrupts on disabling")
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=205333
      BugLinK: https://bugs.freedesktop.org/show_bug.cgi?id=111174Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Link: https://lore.kernel.org/r/20191028081056.22010-1-tiwai@suse.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      914a7d42
    • N
      powerpc/powernv: Fix CPU idle to be called with IRQs disabled · 8f560302
      Nicholas Piggin 提交于
      [ Upstream commit 7d6475051fb3d9339c5c760ed9883bc0a9048b21 ]
      
      Commit e78a7614f3876 ("idle: Prevent late-arriving interrupts from
      disrupting offline") changes arch_cpu_idle_dead to be called with
      interrupts disabled, which triggers the WARN in pnv_smp_cpu_kill_self.
      
      Fix this by fixing up irq_happened after hard disabling, rather than
      requiring there are no pending interrupts, similarly to what was done
      done until commit 2525db04 ("powerpc/powernv: Simplify lazy IRQ
      handling in CPU offline").
      
      Fixes: e78a7614f3876 ("idle: Prevent late-arriving interrupts from disrupting offline")
      Reported-by: NPaul Mackerras <paulus@samba.org>
      Signed-off-by: NNicholas Piggin <npiggin@gmail.com>
      [mpe: Add unexpected_mask rather than checking for known bad values,
            change the WARN_ON() to a WARN_ON_ONCE()]
      Signed-off-by: NMichael Ellerman <mpe@ellerman.id.au>
      Link: https://lore.kernel.org/r/20191022115814.22456-1-npiggin@gmail.comSigned-off-by: NSasha Levin <sashal@kernel.org>
      8f560302
    • J
      ALSA: usb-audio: Add DSD support for Gustard U16/X26 USB Interface · 92930e92
      Justin Song 提交于
      [ Upstream commit e2995b95a914bbc6b5352be27d5d5f33ec802d2c ]
      
      This patch adds native DSD support for Gustard U16/X26 USB Interface.
      Tested using VID and fp->dsd_raw method.
      Signed-off-by: NJustin Song <flyingecar@gmail.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/CA+9XP1ipsFn+r3bCBKRinQv-JrJ+EHOGBdZWZoMwxFv0R8Y1MQ@mail.gmail.comSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      92930e92
    • J
      ALSA: usb-audio: Update DSD support quirks for Oppo and Rotel · c08182db
      Jussi Laako 提交于
      [ Upstream commit 0067e154b11e236d62a7a8205f321b097c21a35b ]
      
      Oppo has issued firmware updates that change alt setting used for DSD
      support. However, these devices seem to support auto-detection, so
      support is moved from explicit whitelisting to auto-detection.
      
      Also Rotel devices have USB interfaces that support DSD with
      auto-detection.
      Signed-off-by: NJussi Laako <jussi@sonarnerd.net>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c08182db
    • J
      ALSA: usb-audio: DSD auto-detection for Playback Designs · d8808d2e
      Jussi Laako 提交于
      [ Upstream commit eb7505d52a2f8b0cfc3fd7146d8cb2dab5a73f0d ]
      
      Add DSD support auto-detection for newer Playback Designs devices. Older
      device generations have a different USB interface implementation.
      
      Keep the auto-detection VID whitelist sorted.
      Signed-off-by: NJussi Laako <jussi@sonarnerd.net>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d8808d2e
    • T
      ALSA: timer: Fix mutex deadlock at releasing card · 83131743
      Takashi Iwai 提交于
      [ Upstream commit a39331867335d4a94b6165e306265c9e24aca073 ]
      
      When a card is disconnected while in use, the system waits until all
      opened files are closed then releases the card.  This is done via
      put_device() of the card device in each device release code.
      
      The recently reported mutex deadlock bug happens in this code path;
      snd_timer_close() for the timer device deals with the global
      register_mutex and it calls put_device() there.  When this timer
      device is the last one, the card gets freed and it eventually calls
      snd_timer_free(), which has again the protection with the global
      register_mutex -- boom.
      
      Basically put_device() call itself is race-free, so a relative simple
      workaround is to move this put_device() call out of the mutex.  For
      achieving that, in this patch, snd_timer_close_locked() got a new
      argument to store the card device pointer in return, and each caller
      invokes put_device() with the returned object after the mutex unlock.
      Reported-and-tested-by: NKirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      83131743
    • T
      ALSA: timer: Simplify error path in snd_timer_open() · 145fadf6
      Takashi Iwai 提交于
      [ Upstream commit 41672c0c24a62699d20aab53b98d843b16483053 ]
      
      Just a minor refactoring to use the standard goto for error paths in
      snd_timer_open() instead of open code.  The first mutex_lock() is
      moved to the beginning of the function to make the code clearer.
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      145fadf6
    • E
      sch_netem: fix rcu splat in netem_enqueue() · a6c91087
      Eric Dumazet 提交于
      commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream.
      
      qdisc_root() use from netem_enqueue() triggers a lockdep warning.
      
      __dev_queue_xmit() uses rcu_read_lock_bh() which is
      not equivalent to rcu_read_lock() + local_bh_disable_bh as far
      as lockdep is concerned.
      
      WARNING: suspicious RCU usage
      5.3.0-rc7+ #0 Not tainted
      -----------------------------
      include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage!
      
      other info that might help us debug this:
      
      rcu_scheduler_active = 2, debug_locks = 1
      3 locks held by syz-executor427/8855:
       #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline]
       #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214
       #1: 00000000b5525c01 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804
       #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline]
       #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline]
       #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838
      
      stack backtrace:
      CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357
       qdisc_root include/net/sch_generic.h:492 [inline]
       netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479
       __dev_xmit_skb net/core/dev.c:3527 [inline]
       __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838
       dev_queue_xmit+0x18/0x20 net/core/dev.c:3902
       neigh_hh_output include/net/neighbour.h:500 [inline]
       neigh_output include/net/neighbour.h:509 [inline]
       ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228
       __ip_finish_output net/ipv4/ip_output.c:308 [inline]
       __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290
       ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318
       NF_HOOK_COND include/linux/netfilter.h:294 [inline]
       ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417
       dst_output include/net/dst.h:436 [inline]
       ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125
       ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555
       udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887
       udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174
       inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311
       __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413
       __do_sys_sendmmsg net/socket.c:2442 [inline]
       __se_sys_sendmmsg net/socket.c:2439 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439
       do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a6c91087
    • V
      net: usb: sr9800: fix uninitialized local variable · 3ecf8529
      Valentin Vidic 提交于
      commit 77b6d09f4ae66d42cd63b121af67780ae3d1a5e9 upstream.
      
      Make sure res does not contain random value if the call to
      sr_read_cmd fails for some reason.
      
      Reported-by: syzbot+f1842130bbcfb335bac1@syzkaller.appspotmail.com
      Signed-off-by: NValentin Vidic <vvidic@valentin-vidic.from.hr>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3ecf8529
    • E
      bonding: fix potential NULL deref in bond_update_slave_arr · 14a703ef
      Eric Dumazet 提交于
      commit a7137534b597b7c303203e6bc3ed87e87a273bb8 upstream.
      
      syzbot got a NULL dereference in bond_update_slave_arr() [1],
      happening after a failure to allocate bond->slave_arr
      
      A workqueue (bond_slave_arr_handler) is supposed to retry
      the allocation later, but if the slave is removed before
      the workqueue had a chance to complete, bond->slave_arr
      can still be NULL.
      
      [1]
      
      Failed to build slave-array.
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] SMP KASAN PTI
      Modules linked in:
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:bond_update_slave_arr.cold+0xc6/0x198 drivers/net/bonding/bond_main.c:4039
      RSP: 0018:ffff88018fe33678 EFLAGS: 00010246
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc9000290b000
      RDX: 0000000000000000 RSI: ffffffff82b63037 RDI: ffff88019745ea20
      RBP: ffff88018fe33760 R08: ffff880170754280 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
      R13: ffff88019745ea00 R14: 0000000000000000 R15: ffff88018fe338b0
      FS:  00007febd837d700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004540a0 CR3: 00000001c242e005 CR4: 00000000001626f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       [<ffffffff82b5b45e>] __bond_release_one+0x43e/0x500 drivers/net/bonding/bond_main.c:1923
       [<ffffffff82b5b966>] bond_release drivers/net/bonding/bond_main.c:2039 [inline]
       [<ffffffff82b5b966>] bond_do_ioctl+0x416/0x870 drivers/net/bonding/bond_main.c:3562
       [<ffffffff83ae25f4>] dev_ifsioc+0x6f4/0x940 net/core/dev_ioctl.c:328
       [<ffffffff83ae2e58>] dev_ioctl+0x1b8/0xc70 net/core/dev_ioctl.c:495
       [<ffffffff83995ffd>] sock_do_ioctl+0x1bd/0x300 net/socket.c:1088
       [<ffffffff83996a80>] sock_ioctl+0x300/0x5d0 net/socket.c:1196
       [<ffffffff81b124db>] vfs_ioctl fs/ioctl.c:47 [inline]
       [<ffffffff81b124db>] file_ioctl fs/ioctl.c:501 [inline]
       [<ffffffff81b124db>] do_vfs_ioctl+0xacb/0x1300 fs/ioctl.c:688
       [<ffffffff81b12dc6>] SYSC_ioctl fs/ioctl.c:705 [inline]
       [<ffffffff81b12dc6>] SyS_ioctl+0xb6/0xe0 fs/ioctl.c:696
       [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305
       [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
      
      Fixes: ee637714 ("bonding: Simplify the xmit function for modes that use xmit_hash")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      14a703ef
    • J
      NFC: pn533: fix use-after-free and memleaks · 24aaf7f4
      Johan Hovold 提交于
      commit 6af3aa57a0984e061f61308fe181a9a12359fecc upstream.
      
      The driver would fail to deregister and its class device and free
      related resources on late probe errors.
      
      Reported-by: syzbot+cb035c75c03dbe34b796@syzkaller.appspotmail.com
      Fixes: 32ecc75d ("NFC: pn533: change order operations in dev registation")
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      24aaf7f4
    • D
      rxrpc: Fix trace-after-put looking at the put peer record · 8d9c4a9b
      David Howells 提交于
      commit 55f6c98e3674ce16038a1949c3f9ca5a9a99f289 upstream.
      
      rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
      of the refcount - which looks at the debug_id in the peer record.  But
      unless the refcount was reduced to zero, we no longer have the right to
      look in the record and, indeed, it may be deleted by some other thread.
      
      Fix this by getting the debug_id out before decrementing the refcount and
      then passing that into the tracepoint.
      
      This can cause the following symptoms:
      
          BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
          [inline]
          BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
          net/rxrpc/peer_object.c:435
          Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
      
      Fixes: 1159d4b4 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
      Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d9c4a9b
    • D
      rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record · e8e51ce7
      David Howells 提交于
      commit 9ebeddef58c41bd700419cdcece24cf64ce32276 upstream.
      
      The rxrpc_peer record needs to hold a reference on the rxrpc_local record
      it points as the peer is used as a base to access information in the
      rxrpc_local record.
      
      This can cause problems in __rxrpc_put_peer(), where we need the network
      namespace pointer, and in rxrpc_send_keepalive(), where we need to access
      the UDP socket, leading to symptoms like:
      
          BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
          [inline]
          BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
          net/rxrpc/peer_object.c:435
          Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216
      
      Fix this by taking a ref on the local record for the peer record.
      
      Fixes: ace45bec ("rxrpc: Fix firewall route keepalive")
      Fixes: 2baec2c3 ("rxrpc: Support network namespacing")
      Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e8e51ce7
    • D
      rxrpc: Fix call ref leak · 570ab0dd
      David Howells 提交于
      commit c48fc11b69e95007109206311b0187a3090591f3 upstream.
      
      When sendmsg() finds a call to continue on with, if the call is in an
      inappropriate state, it doesn't release the ref it just got on that call
      before returning an error.
      
      This causes the following symptom to show up with kasan:
      
      	BUG: KASAN: use-after-free in rxrpc_send_keepalive+0x8a2/0x940
      	net/rxrpc/output.c:635
      	Read of size 8 at addr ffff888064219698 by task kworker/0:3/11077
      
      where line 635 is:
      
      	whdr.epoch	= htonl(peer->local->rxnet->epoch);
      
      The local endpoint (which cannot be pinned by the call) has been released,
      but not the peer (which is pinned by the call).
      
      Fix this by releasing the call in the error path.
      
      Fixes: 37411cad ("rxrpc: Fix potential NULL-pointer exception")
      Reported-by: syzbot+d850c266e3df14da1d31@syzkaller.appspotmail.com
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      570ab0dd