1. 17 12月, 2018 40 次提交
    • R
      ASoC: wm_adsp: Fix dma-unsafe read of scratch registers · 737f3bb3
      Richard Fitzgerald 提交于
      [ Upstream commit 20e00db2f59bdddf8a8e241473ef8be94631d3ae ]
      
      Stack memory isn't DMA-safe so it isn't safe to use either
      regmap_raw_read or regmap_bulk_read to read into stack memory.
      
      The two functions to read the scratch registers were using
      stack memory and regmap_raw_read. It's not worth allocating
      memory just for this trivial read, and it isn't time-critical.
      A simple regmap_read for each register is sufficient.
      Signed-off-by: NRichard Fitzgerald <rf@opensource.cirrus.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      737f3bb3
    • K
      ASoC: rockchip: add missing slave_config setting for I2S · e4777c2e
      Katsuhiro Suzuki 提交于
      [ Upstream commit 16a8ee4c80b45984b6de1f90a49edcf336b7c621 ]
      
      This patch adds missing prepare_sleve_config that is needed for
      setup the DMA slave channel for I2S.
      Signed-off-by: NKatsuhiro Suzuki <katsuhiro@katsuster.net>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e4777c2e
    • S
      hwmon: (raspberrypi) Fix initial notify · dbc62bd3
      Stefan Wahren 提交于
      [ Upstream commit 35fdc3902179366489a12cae4cb3ccc3b95f0afe ]
      
      In case an under-voltage happens before probing the driver wont
      write the critical warning into the kernel log. So don't init
      of last_throttled during probe and fix this issue.
      
      Fixes: 74d1e007 ("hwmon: Add support for RPi voltage sensor")
      Reported-by: N"Noralf Trønnes" <noralf@tronnes.org>
      Signed-off-by: NStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      dbc62bd3
    • N
      hwmon (ina2xx) Fix NULL id pointer in probe() · 08cff351
      Nicolin Chen 提交于
      [ Upstream commit 70df9ebbd82c794ddfbb49d45b337f18d5588dc2 ]
      
      When using DT configurations, the id pointer might turn out to
      be NULL. Then the driver encounters NULL pointer access:
      
        Unable to handle kernel read from unreadable memory at vaddr 00000018
        [...]
        PC is at ina2xx_probe+0x114/0x200
        LR is at ina2xx_probe+0x10c/0x200
        [...]
        Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
      
      The reason is that i2c core returns the id pointer by matching
      id_table with client->name, while the client->name is actually
      using the name from the first string in the DT compatible list,
      not the best one. So i2c core would fail to match the id_table
      if the best matched compatible string isn't the first one, and
      then would return a NULL id pointer.
      
      This probably should be fixed in i2c core. But it doesn't hurt
      to make the driver robust. So this patch fixes it by using the
      "chip" that's added to unify both DT and non-DT configurations.
      
      Additionally, since id pointer could be null, so as id->name:
        ina2xx 10-0047: power monitor (null) (Rshunt = 1000 uOhm)
        ina2xx 10-0048: power monitor (null) (Rshunt = 10000 uOhm)
      
      So this patch also fixes NULL name pointer, using client->name
      to play safe and to align with hwmon->name.
      
      Fixes: bd0ddd4d ("hwmon: (ina2xx) Add OF device ID table")
      Signed-off-by: NNicolin Chen <nicoleotsuka@gmail.com>
      Signed-off-by: NGuenter Roeck <linux@roeck-us.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      08cff351
    • E
      s390/cio: Fix cleanup when unsupported IDA format is used · 61170596
      Eric Farman 提交于
      [ Upstream commit b89e242eee8d4cd8261d8d821c62c5d1efc454d0 ]
      
      Direct returns from within a loop are rude, but it doesn't mean it gets
      to avoid releasing the memory acquired beforehand.
      Signed-off-by: NEric Farman <farman@linux.ibm.com>
      Message-Id: <20181109023937.96105-3-farman@linux.ibm.com>
      Reviewed-by: NFarhan Ali <alifm@linux.ibm.com>
      Reviewed-by: NPierre Morel <pmorel@linux.ibm.com>
      Acked-by: NHalil Pasic <pasic@linux.ibm.com>
      Signed-off-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      61170596
    • E
      s390/cio: Fix cleanup of pfn_array alloc failure · a4f21114
      Eric Farman 提交于
      [ Upstream commit 806212f91c874b24cf9eb4a9f180323671b6c5ed ]
      
      If pfn_array_alloc fails somehow, we need to release the pfn_array_table
      that was malloc'd earlier.
      Signed-off-by: NEric Farman <farman@linux.ibm.com>
      Message-Id: <20181109023937.96105-2-farman@linux.ibm.com>
      Acked-by: NHalil Pasic <pasic@linux.ibm.com>
      Signed-off-by: NCornelia Huck <cohuck@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a4f21114
    • F
      netfilter: nf_tables: fix use-after-free when deleting compat expressions · 00bac44c
      Florian Westphal 提交于
      [ Upstream commit 29e3880109e357fdc607b4393f8308cef6af9413 ]
      
      nft_compat ops do not have static storage duration, unlike all other
      expressions.
      
      When nf_tables_expr_destroy() returns, expr->ops might have been
      free'd already, so we need to store next address before calling
      expression destructor.
      
      For same reason, we can't deref match pointer after nft_xt_put().
      
      This can be easily reproduced by adding msleep() before
      nft_match_destroy() returns.
      
      Fixes: 0ca743a5 ("netfilter: nf_tables: add compatibility layer for x_tables")
      Reported-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      00bac44c
    • T
      netfilter: xt_RATEEST: remove netns exit routine · e947f9aa
      Taehee Yoo 提交于
      [ Upstream commit 0fbcc5b568edab7d848b7c7fa66d44ffbd4133c0 ]
      
      xt_rateest_net_exit() was added to check whether rules are flushed
      successfully. but ->net_exit() callback is called earlier than
      ->destroy() callback.
      So that ->net_exit() callback can't check that.
      
      test commands:
         %ip netns add vm1
         %ip netns exec vm1 iptables -t mangle -I PREROUTING -p udp \
      	   --dport 1111 -j RATEEST --rateest-name ap \
      	   --rateest-interval 250ms --rateest-ewma 0.5s
         %ip netns del vm1
      
      splat looks like:
      [  668.813518] WARNING: CPU: 0 PID: 87 at net/netfilter/xt_RATEEST.c:210 xt_rateest_net_exit+0x210/0x340 [xt_RATEEST]
      [  668.813518] Modules linked in: xt_RATEEST xt_tcpudp iptable_mangle bpfilter ip_tables x_tables
      [  668.813518] CPU: 0 PID: 87 Comm: kworker/u4:2 Not tainted 4.19.0-rc7+ #21
      [  668.813518] Workqueue: netns cleanup_net
      [  668.813518] RIP: 0010:xt_rateest_net_exit+0x210/0x340 [xt_RATEEST]
      [  668.813518] Code: 00 48 8b 85 30 ff ff ff 4c 8b 23 80 38 00 0f 85 24 01 00 00 48 8b 85 30 ff ff ff 4d 85 e4 4c 89 a5 58 ff ff ff c6 00 f8 74 b2 <0f> 0b 48 83 c3 08 4c 39 f3 75 b0 48 b8 00 00 00 00 00 fc ff df 49
      [  668.813518] RSP: 0018:ffff8801156c73f8 EFLAGS: 00010282
      [  668.813518] RAX: ffffed0022ad8e85 RBX: ffff880118928e98 RCX: 5db8012a00000000
      [  668.813518] RDX: ffff8801156c7428 RSI: 00000000cb1d185f RDI: ffff880115663b74
      [  668.813518] RBP: ffff8801156c74d0 R08: ffff8801156633c0 R09: 1ffff100236440be
      [  668.813518] R10: 0000000000000001 R11: ffffed002367d852 R12: ffff880115142b08
      [  668.813518] R13: 1ffff10022ad8e81 R14: ffff880118928ea8 R15: dffffc0000000000
      [  668.813518] FS:  0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000
      [  668.813518] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  668.813518] CR2: 0000563aa69f4f28 CR3: 0000000105a16000 CR4: 00000000001006f0
      [  668.813518] Call Trace:
      [  668.813518]  ? unregister_netdevice_many+0xe0/0xe0
      [  668.813518]  ? xt_rateest_net_init+0x2c0/0x2c0 [xt_RATEEST]
      [  668.813518]  ? default_device_exit+0x1ca/0x270
      [  668.813518]  ? remove_proc_entry+0x1cd/0x390
      [  668.813518]  ? dev_change_net_namespace+0xd00/0xd00
      [  668.813518]  ? __init_waitqueue_head+0x130/0x130
      [  668.813518]  ops_exit_list.isra.10+0x94/0x140
      [  668.813518]  cleanup_net+0x45b/0x900
      [  668.813518]  ? net_drop_ns+0x110/0x110
      [  668.813518]  ? swapgs_restore_regs_and_return_to_usermode+0x3c/0x80
      [  668.813518]  ? save_trace+0x300/0x300
      [  668.813518]  ? lock_acquire+0x196/0x470
      [  668.813518]  ? lock_acquire+0x196/0x470
      [  668.813518]  ? process_one_work+0xb60/0x1de0
      [  668.813518]  ? _raw_spin_unlock_irq+0x29/0x40
      [  668.813518]  ? _raw_spin_unlock_irq+0x29/0x40
      [  668.813518]  ? __lock_acquire+0x4500/0x4500
      [  668.813518]  ? __lock_is_held+0xb4/0x140
      [  668.813518]  process_one_work+0xc13/0x1de0
      [  668.813518]  ? pwq_dec_nr_in_flight+0x3c0/0x3c0
      [  668.813518]  ? set_load_weight+0x270/0x270
      [ ... ]
      
      Fixes: 3427b2ab ("netfilter: make xt_rateest hash table per net")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      e947f9aa
    • J
      perf tools: Fix crash on synthesizing the unit · f8328abb
      Jiri Olsa 提交于
      [ Upstream commit fb50c09e923870a358d68b0d58891bd145b8d7c7 ]
      
      Adam reported a record command crash for simple session like:
      
        $ perf record -e cpu-clock ls
      
      with following backtrace:
      
        Program received signal SIGSEGV, Segmentation fault.
        3543            ev = event_update_event__new(size + 1, PERF_EVENT_UPDATE__UNIT, evsel->id[0]);
        (gdb) bt
        #0  perf_event__synthesize_event_update_unit
        #1  0x000000000051e469 in perf_event__synthesize_extra_attr
        #2  0x00000000004445cb in record__synthesize
        #3  0x0000000000444bc5 in __cmd_record
        ...
      
      We synthesize an update event that needs to touch the evsel id array,
      which is not defined at that time. Fix this by forcing the id allocation
      for events with their unit defined.
      
      Reflecting possible read_format ID bit in the attr tests.
      Reported-by: NYongxin Liu <yongxin.liu@outlook.com>
      Signed-off-by: NJiri Olsa <jolsa@kernel.org>
      Cc: Adam Lee <leeadamrobert@gmail.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201477
      Fixes: bfd8f72c ("perf record: Synthesize unit/scale/... in event update")
      Link: http://lkml.kernel.org/r/20181112130012.5424-1-jolsa@kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f8328abb
    • F
      selftests: add script to stress-test nft packet path vs. control plane · d15443a1
      Florian Westphal 提交于
      [ Upstream commit 25d8bcedbf4329895dbaf9dd67baa6f18dad918c ]
      
      Start flood ping for each cpu while loading/flushing rulesets to make
      sure we do not access already-free'd rules from nf_tables evaluation loop.
      
      Also add this to TARGETS so 'make run_tests' in selftest dir runs it
      automatically.
      
      This would have caught the bug fixed in previous change
      ("netfilter: nf_tables: do not skip inactive chains during generation update")
      sooner.
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      d15443a1
    • F
      netfilter: nf_tables: don't skip inactive chains during update · 8fe8940f
      Florian Westphal 提交于
      [ Upstream commit 0fb39bbe43d4481fcf300d2b5822de60942fd189 ]
      
      There is no synchronization between packet path and the configuration plane.
      
      The packet path uses two arrays with rules, one contains the current (active)
      generation.  The other either contains the last (obsolete) generation or
      the future one.
      
      Consider:
      cpu1               cpu2
                         nft_do_chain(c);
      delete c
      net->gen++;
                         genbit = !!net->gen;
                         rules = c->rg[genbit];
      
      cpu1 ignores c when updating if c is not active anymore in the new
      generation.
      
      On cpu2, we now use rules from wrong generation, as c->rg[old]
      contains the rules matching 'c' whereas c->rg[new] was not updated and
      can even point to rules that have been free'd already, causing a crash.
      
      To fix this, make sure that 'current' to the 'next' generation are
      identical for chains that are going away so that c->rg[new] will just
      use the matching rules even if genbit was incremented already.
      
      Fixes: 0cbc06b3 ("netfilter: nf_tables: remove synchronize_rcu in commit phase")
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8fe8940f
    • T
      netfilter: nf_conncount: fix unexpected permanent node of list. · 4a3b49f0
      Taehee Yoo 提交于
      [ Upstream commit 3c5cdb17c3be76714dfd0d03e384f70579545614 ]
      
      When list->count is 0, the list is deleted by GC. But list->count is
      never reached 0 because initial count value is 1 and it is increased
      when node is inserted. So that initial value of list->count should be 0.
      
      Originally GC always finds zero count list through deleting node and
      decreasing count. However, list may be left empty since node insertion
      may fail eg.  allocaton problem. In order to solve this problem, GC
      routine also finds zero count list without deleting node.
      
      Fixes: cb2b36f5 ("netfilter: nf_conncount: Switch to plain list")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      4a3b49f0
    • T
      netfilter: nf_conncount: fix list_del corruption in conn_free · ae60f470
      Taehee Yoo 提交于
      [ Upstream commit 31568ec09ea02a050249921698c9729419539cce ]
      
      nf_conncount_tuple is an element of nft_connlimit and that is deleted by
      conn_free(). Elements can be deleted by both GC routine and data path
      functions (nf_conncount_lookup, nf_conncount_add) and they call
      conn_free() to free elements. But conn_free() only protects lists, not
      each element. So that list_del corruption could occurred.
      
      The conn_free() doesn't check whether element is already deleted. In
      order to protect elements, dead flag is added. If an element is deleted,
      dead flag is set. The only conn_free() can delete elements so that both
      list lock and dead flag are enough to protect it.
      
      test commands:
         %nft add table ip filter
         %nft add chain ip filter input { type filter hook input priority 0\; }
         %nft add rule filter input meter test { ip id ct count over 2 } counter
      
      splat looks like:
      [ 1779.495778] list_del corruption, ffff8800b6e12008->prev is LIST_POISON2 (dead000000000200)
      [ 1779.505453] ------------[ cut here ]------------
      [ 1779.506260] kernel BUG at lib/list_debug.c:50!
      [ 1779.515831] invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI
      [ 1779.516772] CPU: 0 PID: 33 Comm: kworker/0:2 Not tainted 4.19.0-rc6+ #22
      [ 1779.516772] Workqueue: events_power_efficient nft_rhash_gc [nf_tables_set]
      [ 1779.516772] RIP: 0010:__list_del_entry_valid+0xd8/0x150
      [ 1779.516772] Code: 39 48 83 c4 08 b8 01 00 00 00 5b 5d c3 48 89 ea 48 c7 c7 00 c3 5b 98 e8 0f dc 40 ff 0f 0b 48 c7 c7 60 c3 5b 98 e8 01 dc 40 ff <0f> 0b 48 c7 c7 c0 c3 5b 98 e8 f3 db 40 ff 0f 0b 48 c7 c7 20 c4 5b
      [ 1779.516772] RSP: 0018:ffff880119127420 EFLAGS: 00010286
      [ 1779.516772] RAX: 000000000000004e RBX: dead000000000200 RCX: 0000000000000000
      [ 1779.516772] RDX: 000000000000004e RSI: 0000000000000008 RDI: ffffed0023224e7a
      [ 1779.516772] RBP: ffff88011934bc10 R08: ffffed002367cea9 R09: ffffed002367cea9
      [ 1779.516772] R10: 0000000000000001 R11: ffffed002367cea8 R12: ffff8800b6e12008
      [ 1779.516772] R13: ffff8800b6e12010 R14: ffff88011934bc20 R15: ffff8800b6e12008
      [ 1779.516772] FS:  0000000000000000(0000) GS:ffff88011b200000(0000) knlGS:0000000000000000
      [ 1779.516772] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 1779.516772] CR2: 00007fc876534010 CR3: 000000010da16000 CR4: 00000000001006f0
      [ 1779.516772] Call Trace:
      [ 1779.516772]  conn_free+0x9f/0x2b0 [nf_conncount]
      [ 1779.516772]  ? nf_ct_tmpl_alloc+0x2a0/0x2a0 [nf_conntrack]
      [ 1779.516772]  ? nf_conncount_add+0x520/0x520 [nf_conncount]
      [ 1779.516772]  ? do_raw_spin_trylock+0x1a0/0x1a0
      [ 1779.516772]  ? do_raw_spin_trylock+0x10/0x1a0
      [ 1779.516772]  find_or_evict+0xe5/0x150 [nf_conncount]
      [ 1779.516772]  nf_conncount_gc_list+0x162/0x360 [nf_conncount]
      [ 1779.516772]  ? nf_conncount_lookup+0xee0/0xee0 [nf_conncount]
      [ 1779.516772]  ? _raw_spin_unlock_irqrestore+0x45/0x50
      [ 1779.516772]  ? trace_hardirqs_off+0x6b/0x220
      [ 1779.516772]  ? trace_hardirqs_on_caller+0x220/0x220
      [ 1779.516772]  nft_rhash_gc+0x16b/0x540 [nf_tables_set]
      [ ... ]
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ae60f470
    • T
      netfilter: nf_conncount: use spin_lock_bh instead of spin_lock · 08c7e68a
      Taehee Yoo 提交于
      [ Upstream commit fd3e71a9f71e232181a225301a75936373636ccc ]
      
      conn_free() holds lock with spin_lock() and it is called by both
      nf_conncount_lookup() and nf_conncount_gc_list(). nf_conncount_lookup()
      is called from bottom-half context and nf_conncount_gc_list() from
      process context. So that spin_lock() call is not safe. Hence
      conn_free() should use spin_lock_bh() instead of spin_lock().
      
      test commands:
         %nft add table ip filter
         %nft add chain ip filter input { type filter hook input priority 0\; }
         %nft add rule filter input meter test { ip saddr ct count over 2 } \
      	   counter
      
      splat looks like:
      [  461.996507] ================================
      [  461.998999] WARNING: inconsistent lock state
      [  461.998999] 4.19.0-rc6+ #22 Not tainted
      [  461.998999] --------------------------------
      [  461.998999] inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
      [  461.998999] kworker/0:2/134 [HC0[0]:SC0[0]:HE1:SE1] takes:
      [  461.998999] 00000000a71a559a (&(&list->list_lock)->rlock){+.?.}, at: conn_free+0x69/0x2b0 [nf_conncount]
      [  461.998999] {IN-SOFTIRQ-W} state was registered at:
      [  461.998999]   _raw_spin_lock+0x30/0x70
      [  461.998999]   nf_conncount_add+0x28a/0x520 [nf_conncount]
      [  461.998999]   nft_connlimit_eval+0x401/0x580 [nft_connlimit]
      [  461.998999]   nft_dynset_eval+0x32b/0x590 [nf_tables]
      [  461.998999]   nft_do_chain+0x497/0x1430 [nf_tables]
      [  461.998999]   nft_do_chain_ipv4+0x255/0x330 [nf_tables]
      [  461.998999]   nf_hook_slow+0xb1/0x160
      [ ... ]
      [  461.998999] other info that might help us debug this:
      [  461.998999]  Possible unsafe locking scenario:
      [  461.998999]
      [  461.998999]        CPU0
      [  461.998999]        ----
      [  461.998999]   lock(&(&list->list_lock)->rlock);
      [  461.998999]   <Interrupt>
      [  461.998999]     lock(&(&list->list_lock)->rlock);
      [  461.998999]
      [  461.998999]  *** DEADLOCK ***
      [  461.998999]
      [ ... ]
      
      Fixes: 5c789e13 ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
      Signed-off-by: NTaehee Yoo <ap420073@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      08c7e68a
    • Y
      sysv: return 'err' instead of 0 in __sysv_write_inode · f6168a80
      YueHaibing 提交于
      [ Upstream commit c4b7d1ba7d263b74bb72e9325262a67139605cde ]
      
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      fs/sysv/inode.c: In function '__sysv_write_inode':
      fs/sysv/inode.c:239:6: warning:
       variable 'err' set but not used [-Wunused-but-set-variable]
      
      __sysv_write_inode should return 'err' instead of 0
      
      Fixes: 05459ca8 ("repair sysv_write_inode(), switch sysv to simple_fsync()")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      f6168a80
    • B
      arm64: dts: sdm845-mtp: Reserve reserved gpios · 1eb8dd51
      Bjorn Andersson 提交于
      [ Upstream commit 5f8d3ab136d0ccb59c4d628d8f85e0d8f2761d07 ]
      
      With the introduction of commit 3edfb7bd76bd ("gpiolib: Show correct
      direction from the beginning") the gpiolib will attempt to read the
      direction of all pins, which triggers a read from protected register
      regions.
      
      The pins 0 through 3 and 81 through 84 are protected, so mark these as
      reserved.
      Signed-off-by: NBjorn Andersson <bjorn.andersson@linaro.org>
      Reviewed-by: NStephen Boyd <sboyd@kernel.org>
      Reviewed-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NAndy Gross <andy.gross@linaro.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1eb8dd51
    • V
      ASoC: sun8i-codec: fix crash on module removal · 411b321f
      Vasily Khoruzhick 提交于
      [ Upstream commit 278df5e5527b633f4882f1680ad58b62a7c07bfe ]
      
      drvdata is actually sun8i_codec, not snd_soc_card, so it crashes
      when calling snd_soc_card_get_drvdata().
      
      Drop card and scodec vars anyway since we don't need to
      disable/unprepare clocks - it's already done by calling
      runtime_suspend()
      
      Drop clk_disable_unprepare() calls for the same reason.
      
      Fixes: 36c68493 ("ASoC: Add sun8i digital audio codec")
      Signed-off-by: NVasily Khoruzhick <anarsoul@gmail.com>
      Acked-by: NMaxime Ripard <maxime.ripard@bootlin.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      411b321f
    • Q
      tools: bpftool: prevent infinite loop in get_fdinfo() · b42ab528
      Quentin Monnet 提交于
      [ Upstream commit 53909030aa29bffe1f8490df62176c2375135652 ]
      
      Function getline() returns -1 on failure to read a line, thus creating
      an infinite loop in get_fdinfo() if the key is not found. Fix it by
      calling the function only as long as we get a strictly positive return
      value.
      
      Found by copying the code for a key which is not always present...
      
      Fixes: 71bb428f ("tools: bpf: add bpftool")
      Signed-off-by: NQuentin Monnet <quentin.monnet@netronome.com>
      Reviewed-by: NJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b42ab528
    • J
      ARM: OMAP1: ams-delta: Fix possible use of uninitialized field · 136c5237
      Janusz Krzysztofik 提交于
      [ Upstream commit cec83ff1241ec98113a19385ea9e9cfa9aa4125b ]
      
      While playing with initialization order of modem device, it has been
      discovered that under some circumstances (early console init, I
      believe) its .pm() callback may be called before the
      uart_port->private_data pointer is initialized from
      plat_serial8250_port->private_data, resulting in NULL pointer
      dereference.  Fix it by checking for uninitialized pointer before using
      it in modem_pm().
      
      Fixes: aabf3173 ("ARM: OMAP1: ams-delta: update the modem to use regulator API")
      Signed-off-by: NJanusz Krzysztofik <jmkrzyszt@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      136c5237
    • A
      ARM: dts: am3517-som: Fix WL127x Wifi interrupt · 28f3050b
      Adam Ford 提交于
      [ Upstream commit 419b194cdedc76d0d3cd5b0900db0fa8177c4a52 ]
      
      At the same time the AM3517 EVM was gaining WiFi support,
      separate patches were introduced to move the interrupt
      from HIGH to RISING.  Because they overlapped, this was not
      done to the AM3517-EVM.  This patch fixes Kernel 4.19+
      
      Fixes: 6bf5e341 ("ARM: dts: am3517-som: Add WL127x Wifi")
      Signed-off-by: NAdam Ford <aford173@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      28f3050b
    • A
      ARM: dts: logicpd-somlv: Fix interrupt on mmc3_dat1 · 9f7df2a3
      Adam Ford 提交于
      [ Upstream commit 3d8b804bc528d3720ec0c39c212af92dafaf6e84 ]
      
      The interrupt on mmc3_dat1 is wrong which prevents this from
      appearing in /proc/interrupts.
      
      Fixes: ab8dd3ae ("ARM: DTS: Add minimal Support for Logic PD
      DM3730 SOM-LV") #Kernel 4.9+
      Signed-off-by: NAdam Ford <aford173@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9f7df2a3
    • A
      ARM: dts: LogicPD Torpedo: Fix mmc3_dat1 interrupt · 09372f3c
      Adam Ford 提交于
      [ Upstream commit 6809564d64ff1301d44c13334cc0e8369e825a20 ]
      
      When the Torpedo was first introduced back at Kernel 4.2,
      the interrupt extended flag has been set incorrectly.
      
      It was subsequently moved, so this patch corrects Kernel
      4.18+
      
      Fixes: a3886730 ("ARM: dts: Move move WiFi bindings to
      logicpd-torpedo-37xx-devkit") # v4.18+
      Signed-off-by: NAdam Ford <aford173@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      09372f3c
    • A
      ARM: dts: am3517: Fix pinmuxing for CD on MMC1 · 886e00c5
      Adam Ford 提交于
      [ Upstream commit e7f4ffffa972db4820c23ff9831a6a4f3f6d8cc5 ]
      
      The MMC1 is active low, not active high.  For some reason,
      this worked with different combination of U-Boot and kernels,
      but it's supposed to be active low and is currently broken.
      
      Fixes: cfaa856a ("ARM: dts: am3517: Add pinmuxing, CD and
      WP for MMC1") #kernel 4.18+
      Signed-off-by: NAdam Ford <aford173@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      886e00c5
    • C
      staging: rtl8723bs: Fix the return value in case of error in 'rtw_wx_read32()' · de7e3f88
      Christophe JAILLET 提交于
      [ Upstream commit c3e43d8b958bd6849817393483e805d8638a8ab7 ]
      
      We return 0 unconditionally in 'rtw_wx_read32()'.
      However, 'ret' is set to some error codes in several error handling paths.
      
      Return 'ret' instead to propagate the error code.
      
      Fixes: 554c0a3a ("staging: Add rtl8723bs sdio wifi driver")
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      de7e3f88
    • S
      ASoC: qdsp6: q6afe-dai: Fix the dai widgets · 748b7861
      Srinivas Kandagatla 提交于
      [ Upstream commit e14856f6cfbb1b96aa45a68f188b147b5bde76b4 ]
      
      For some reason the dapm widgets are incorrectly defined from the start,
      Not sure how we ended up with such thing. Fix them now!
      
      Without this fix the backend dais are always powered up even if there
      is no active stream.
      Reported-by: NJimmy Cheng-Yi Chiang <cychiang@google.com>
      Reported-by: NRohit kumar <rohitkr@codeaurora.org>
      Signed-off-by: NSrinivas Kandagatla <srinivas.kandagatla@linaro.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      748b7861
    • R
      ASoC: qdsp6: q6afe: Fix wrong MI2S SD line mask · 32d28e24
      Rohit kumar 提交于
      [ Upstream commit 112b57fa737445b2361be332ce8cc0fd3e2b994e ]
      
      SD line mask for MI2S starts from BIT 0 instead of BIT 1.
      Fix all bit mask for MI2S SD lines.
      Signed-off-by: NRohit kumar <rohitkr@codeaurora.org>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      32d28e24
    • K
      ASoC: rsnd: fixup clock start checker · 8ec3e555
      Kuninori Morimoto 提交于
      [ Upstream commit 3ee9a76a8c5a10e1bfb04b81db767c6d562ddaf3 ]
      
      commit 4d230d12 ("ASoC: rsnd: fixup not to call clk_get/set under
      non-atomic") fixuped clock start timing. But it exchanged clock start
      checker from ssi->usrcnt to ssi->rate.
      
      Current rsnd_ssi_master_clk_start() is called from .prepare,
      but some player (for example GStreamer) might calls it many times.
      In such case, the checker might returns error even though it was not
      error. It should check ssi->usrcnt instead of ssi->rate.
      This patch fixup it. Without this patch, GStreamer can't switch
      48kHz / 44.1kHz.
      Reported-by: NYusuke Goda <yusuke.goda.sx@renesas.com>
      Signed-off-by: NKuninori Morimoto <kuninori.morimoto.gx@renesas.com>
      Tested-by: NYusuke Goda <yusuke.goda.sx@renesas.com>
      Signed-off-by: NMark Brown <broonie@kernel.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      8ec3e555
    • N
      ARM: OMAP2+: prm44xx: Fix section annotation on omap44xx_prm_enable_io_wakeup · 5a8fbba7
      Nathan Chancellor 提交于
      [ Upstream commit eef3dc34a1e0b01d53328b88c25237bcc7323777 ]
      
      When building the kernel with Clang, the following section mismatch
      warning appears:
      
      WARNING: vmlinux.o(.text+0x38b3c): Section mismatch in reference from
      the function omap44xx_prm_late_init() to the function
      .init.text:omap44xx_prm_enable_io_wakeup()
      The function omap44xx_prm_late_init() references
      the function __init omap44xx_prm_enable_io_wakeup().
      This is often because omap44xx_prm_late_init lacks a __init
      annotation or the annotation of omap44xx_prm_enable_io_wakeup is wrong.
      
      Remove the __init annotation from omap44xx_prm_enable_io_wakeup so there
      is no more mismatch.
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5a8fbba7
    • S
      net: fix XPS static_key accounting · 9ac60749
      Sabrina Dubroca 提交于
      [ Upstream commit 867d0ad476db89a1e8af3f297af402399a54eea5 ]
      
      Commit 04157469 ("net: Use static_key for XPS maps") introduced a
      static key for XPS, but the increments/decrements don't match.
      
      First, the static key's counter is incremented once for each queue, but
      only decremented once for a whole batch of queues, leading to large
      unbalances.
      
      Second, the xps_rxqs_needed key is decremented whenever we reset a batch
      of queues, whether they had any rxqs mapping or not, so that if we setup
      cpu-XPS on em1 and RXQS-XPS on em2, resetting the queues on em1 would
      decrement the xps_rxqs_needed key.
      
      This reworks the accounting scheme so that the xps_needed key is
      incremented only once for each type of XPS for all the queues on a
      device, and the xps_rxqs_needed key is incremented only once for all
      queues. This is sufficient to let us retrieve queues via
      get_xps_queue().
      
      This patch introduces a new reset_xps_maps(), which reinitializes and
      frees the appropriate map (xps_rxqs_map or xps_cpus_map), and drops a
      reference to the needed keys:
       - both xps_needed and xps_rxqs_needed, in case of rxqs maps,
       - only xps_needed, in case of CPU maps.
      
      Now, we also need to call reset_xps_maps() at the end of
      __netif_set_xps_queue() when there's no active map left, for example
      when writing '00000000,00000000' to all queues' xps_rxqs setting.
      
      Fixes: 04157469 ("net: Use static_key for XPS maps")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      9ac60749
    • S
      net: restore call to netdev_queue_numa_node_write when resetting XPS · b4b8a71c
      Sabrina Dubroca 提交于
      [ Upstream commit f28c020fb488e1a8b87469812017044bef88aa2b ]
      
      Before commit 80d19669 ("net: Refactor XPS for CPUs and Rx queues"),
      netif_reset_xps_queues() did netdev_queue_numa_node_write() for all the
      queues being reset. Now, this is only done when the "active" variable in
      clean_xps_maps() is false, ie when on all the CPUs, there's no active
      XPS mapping left.
      
      Fixes: 80d19669 ("net: Refactor XPS for CPUs and Rx queues")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b4b8a71c
    • X
      sctp: update frag_point when stream_interleave is set · a275c66b
      Xin Long 提交于
      [ Upstream commit 4135cce7fd0a0d755665c02728578c7c5afe4726 ]
      
      sctp_assoc_update_frag_point() should be called whenever asoc->pathmtu
      changes, but we missed one place in sctp_association_init(). It would
      cause frag_point is zero when sending data.
      
      As says in Jakub's reproducer, if sp->pathmtu is set by socketopt, the
      new asoc->pathmtu inherits it in sctp_association_init(). Later when
      transports are added and their pmtu >= asoc->pathmtu, it will never
      call sctp_assoc_update_frag_point() to set frag_point.
      
      This patch is to fix it by updating frag_point after asoc->pathmtu is
      set as sp->pathmtu in sctp_association_init(). Note that it moved them
      after sctp_stream_init(), as stream->si needs to be set first.
      
      Frag_point's calculation is also related with datachunk's type, so it
      needs to update frag_point when stream->si may be changed in
      sctp_process_init().
      
      v1->v2:
        - call sctp_assoc_update_frag_point() separately in sctp_process_init
          and sctp_association_init, per Marcelo's suggestion.
      
      Fixes: 2f5e3c9d ("sctp: introduce sctp_assoc_update_frag_point")
      Reported-by: NJakub Audykowicz <jakub.audykowicz@gmail.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a275c66b
    • B
      net: phy: sfp: correct store of detected link modes · 4aa6d46d
      Baruch Siach 提交于
      [ Upstream commit d7f7e0018b96fd1a30a968faa9464eb57372c1ec ]
      
      The link modes that sfp_parse_support() detects are stored in the
      'modes' bitmap. There is no reason to make an exception for 1000Base-PX
      or 1000Base-BX10.
      
      Fixes: 03145864 ("sfp: support 1G BiDi (eg, FiberStore SFP-GE-BX) modules")
      Signed-off-by: NBaruch Siach <baruch@tkos.co.il>
      Acked-by: NRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4aa6d46d
    • J
      virtio-net: keep vnet header zeroed after processing XDP · a7dba859
      Jason Wang 提交于
      [ Upstream commit 436c9453a1ac0944b82870ef2e0d9be956b396d9 ]
      
      We copy vnet header unconditionally in page_to_skb() this is wrong
      since XDP may modify the packet data. So let's keep a zeroed vnet
      header for not confusing the conversion between vnet header and skb
      metadata.
      
      In the future, we should able to detect whether or not the packet was
      modified and keep using the vnet header when packet was not touched.
      
      Fixes: f600b690 ("virtio_net: Add XDP support")
      Reported-by: NPavel Popa <pashinho1990@gmail.com>
      Signed-off-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a7dba859
    • N
      tun: forbid iface creation with rtnl ops · 36206419
      Nicolas Dichtel 提交于
      [ Upstream commit 35b827b6d06199841a83839e8bb69c0cd13a28be ]
      
      It's not supported right now (the goal of the initial patch was to support
      'ip link del' only).
      
      Before the patch:
      $ ip link add foo type tun
      [  239.632660] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
      [snip]
      [  239.636410] RIP: 0010:register_netdevice+0x8e/0x3a0
      
      This panic occurs because dev->netdev_ops is not set by tun_setup(). But to
      have something usable, it will require more than just setting
      netdev_ops.
      
      Fixes: f019a7a5 ("tun: Implement ip link del tunXXX")
      CC: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: NNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      36206419
    • Y
      tcp: fix NULL ref in tail loss probe · bbc83e8d
      Yuchung Cheng 提交于
      [ Upstream commit b2b7af861122a0c0f6260155c29a1b2e594cd5b5 ]
      
      TCP loss probe timer may fire when the retranmission queue is empty but
      has a non-zero tp->packets_out counter. tcp_send_loss_probe will call
      tcp_rearm_rto which triggers NULL pointer reference by fetching the
      retranmission queue head in its sub-routines.
      
      Add a more detailed warning to help catch the root cause of the inflight
      accounting inconsistency.
      Reported-by: NRafael Tinoco <rafael.tinoco@linaro.org>
      Signed-off-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NNeal Cardwell <ncardwell@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bbc83e8d
    • E
      tcp: Do not underestimate rwnd_limited · 03b271cb
      Eric Dumazet 提交于
      [ Upstream commit 41727549de3e7281feb174d568c6e46823db8684 ]
      
      If available rwnd is too small, tcp_tso_should_defer()
      can decide it is worth waiting before splitting a TSO packet.
      
      This really means we are rwnd limited.
      
      Fixes: 5615f886 ("tcp: instrument how long TCP is limited by receive window")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NSoheil Hassas Yeganeh <soheil@google.com>
      Reviewed-by: NYuchung Cheng <ycheng@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      03b271cb
    • X
      sctp: kfree_rcu asoc · 5148726f
      Xin Long 提交于
      [ Upstream commit fb6df5a6234c38a9c551559506a49a677ac6f07a ]
      
      In sctp_hash_transport/sctp_epaddr_lookup_transport, it dereferences
      a transport's asoc under rcu_read_lock while asoc is freed not after
      a grace period, which leads to a use-after-free panic.
      
      This patch fixes it by calling kfree_rcu to make asoc be freed after
      a grace period.
      
      Note that only the asoc's memory is delayed to free in the patch, it
      won't cause sk to linger longer.
      
      Thanks Neil and Marcelo to make this clear.
      
      Fixes: 7fda702f ("sctp: use new rhlist interface on sctp transport rhashtable")
      Fixes: cd2b7087 ("sctp: check duplicate node before inserting a new transport")
      Reported-by: syzbot+0b05d8aa7cb185107483@syzkaller.appspotmail.com
      Reported-by: syzbot+aad231d51b1923158444@syzkaller.appspotmail.com
      Suggested-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: NNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5148726f
    • E
      rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices · a482f800
      Eric Dumazet 提交于
      [ Upstream commit 688838934c231bb08f46db687e57f6d8bf82709c ]
      
      kmsan was able to trigger a kernel-infoleak using a gre device [1]
      
      nlmsg_populate_fdb_fill() has a hard coded assumption
      that dev->addr_len is ETH_ALEN, as normally guaranteed
      for ARPHRD_ETHER devices.
      
      A similar issue was fixed recently in commit da71577545a5
      ("rtnetlink: Disallow FDB configuration for non-Ethernet device")
      
      [1]
      BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:143 [inline]
      BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
      CPU: 0 PID: 6697 Comm: syz-executor310 Not tainted 4.20.0-rc3+ #95
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x32d/0x480 lib/dump_stack.c:113
       kmsan_report+0x12c/0x290 mm/kmsan/kmsan.c:683
       kmsan_internal_check_memory+0x32a/0xa50 mm/kmsan/kmsan.c:743
       kmsan_copy_to_user+0x78/0xd0 mm/kmsan/kmsan_hooks.c:634
       copyout lib/iov_iter.c:143 [inline]
       _copy_to_iter+0x4c0/0x2700 lib/iov_iter.c:576
       copy_to_iter include/linux/uio.h:143 [inline]
       skb_copy_datagram_iter+0x4e2/0x1070 net/core/datagram.c:431
       skb_copy_datagram_msg include/linux/skbuff.h:3316 [inline]
       netlink_recvmsg+0x6f9/0x19d0 net/netlink/af_netlink.c:1975
       sock_recvmsg_nosec net/socket.c:794 [inline]
       sock_recvmsg+0x1d1/0x230 net/socket.c:801
       ___sys_recvmsg+0x444/0xae0 net/socket.c:2278
       __sys_recvmsg net/socket.c:2327 [inline]
       __do_sys_recvmsg net/socket.c:2337 [inline]
       __se_sys_recvmsg+0x2fa/0x450 net/socket.c:2334
       __x64_sys_recvmsg+0x4a/0x70 net/socket.c:2334
       do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      RIP: 0033:0x441119
      Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007fffc7f008a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002f
      RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441119
      RDX: 0000000000000040 RSI: 00000000200005c0 RDI: 0000000000000003
      RBP: 00000000006cc018 R08: 0000000000000100 R09: 0000000000000100
      R10: 0000000000000100 R11: 0000000000000207 R12: 0000000000402080
      R13: 0000000000402110 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was stored to memory at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
       kmsan_save_stack mm/kmsan/kmsan.c:261 [inline]
       kmsan_internal_chain_origin+0x13d/0x240 mm/kmsan/kmsan.c:469
       kmsan_memcpy_memmove_metadata+0x1a9/0xf70 mm/kmsan/kmsan.c:344
       kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:362
       __msan_memcpy+0x61/0x70 mm/kmsan/kmsan_instr.c:162
       __nla_put lib/nlattr.c:744 [inline]
       nla_put+0x20a/0x2d0 lib/nlattr.c:802
       nlmsg_populate_fdb_fill+0x444/0x810 net/core/rtnetlink.c:3466
       nlmsg_populate_fdb net/core/rtnetlink.c:3775 [inline]
       ndo_dflt_fdb_dump+0x73a/0x960 net/core/rtnetlink.c:3807
       rtnl_fdb_dump+0x1318/0x1cb0 net/core/rtnetlink.c:3979
       netlink_dump+0xc79/0x1c90 net/netlink/af_netlink.c:2244
       __netlink_dump_start+0x10c4/0x11d0 net/netlink/af_netlink.c:2352
       netlink_dump_start include/linux/netlink.h:216 [inline]
       rtnetlink_rcv_msg+0x141b/0x1540 net/core/rtnetlink.c:4910
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:246 [inline]
       kmsan_internal_poison_shadow+0x6d/0x130 mm/kmsan/kmsan.c:170
       kmsan_kmalloc+0xa1/0x100 mm/kmsan/kmsan_hooks.c:186
       __kmalloc+0x14c/0x4d0 mm/slub.c:3825
       kmalloc include/linux/slab.h:551 [inline]
       __hw_addr_create_ex net/core/dev_addr_lists.c:34 [inline]
       __hw_addr_add_ex net/core/dev_addr_lists.c:80 [inline]
       __dev_mc_add+0x357/0x8a0 net/core/dev_addr_lists.c:670
       dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687
       ip_mc_filter_add net/ipv4/igmp.c:1128 [inline]
       igmp_group_added+0x4d4/0xb80 net/ipv4/igmp.c:1311
       __ip_mc_inc_group+0xea9/0xf70 net/ipv4/igmp.c:1444
       ip_mc_inc_group net/ipv4/igmp.c:1453 [inline]
       ip_mc_up+0x1c3/0x400 net/ipv4/igmp.c:1775
       inetdev_event+0x1d03/0x1d80 net/ipv4/devinet.c:1522
       notifier_call_chain kernel/notifier.c:93 [inline]
       __raw_notifier_call_chain kernel/notifier.c:394 [inline]
       raw_notifier_call_chain+0x13d/0x240 kernel/notifier.c:401
       __dev_notify_flags+0x3da/0x860 net/core/dev.c:1733
       dev_change_flags+0x1ac/0x230 net/core/dev.c:7569
       do_setlink+0x165f/0x5ea0 net/core/rtnetlink.c:2492
       rtnl_newlink+0x2ad7/0x35a0 net/core/rtnetlink.c:3111
       rtnetlink_rcv_msg+0x1148/0x1540 net/core/rtnetlink.c:4947
       netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:4965
       netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
       netlink_unicast+0x1699/0x1740 net/netlink/af_netlink.c:1336
       netlink_sendmsg+0x13c7/0x1440 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:621 [inline]
       sock_sendmsg net/socket.c:631 [inline]
       ___sys_sendmsg+0xe3b/0x1240 net/socket.c:2116
       __sys_sendmsg net/socket.c:2154 [inline]
       __do_sys_sendmsg net/socket.c:2163 [inline]
       __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
       __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
       do_syscall_64+0xcf/0x110 arch/x86/entry/common.c:291
       entry_SYSCALL_64_after_hwframe+0x63/0xe7
      
      Bytes 36-37 of 105 are uninitialized
      Memory access of size 105 starts at ffff88819686c000
      Data copied to user address 0000000020000380
      
      Fixes: d83b0603 ("net: add fdb generic dump routine")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Cc: Ido Schimmel <idosch@mellanox.com>
      Cc: David Ahern <dsahern@gmail.com>
      Reviewed-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a482f800
    • B
      Revert "net/ibm/emac: wrong bit is used for STA control" · f5c9c30d
      Benjamin Herrenschmidt 提交于
      [ Upstream commit 5b3279e2cba2238b37f6c18adfdea8bddb32715a ]
      
      This reverts commit 624ca9c3.
      
      This commit is completely bogus. The STACR register has two formats, old
      and new, depending on the version of the IP block used. There's a pair of
      device-tree properties that can be used to specify the format used:
      
      	has-inverted-stacr-oc
      	has-new-stacr-staopc
      
      What this commit did was to change the bit definition used with the old
      parts to match the new parts. This of course breaks the driver on all
      the old ones.
      
      Instead, the author should have set the appropriate properties in the
      device-tree for the variant used on his board.
      Signed-off-by: NBenjamin Herrenschmidt <benh@kernel.crashing.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f5c9c30d
    • E
      net: use skb_list_del_init() to remove from RX sublists · 7fafda16
      Edward Cree 提交于
      [ Upstream commit 22f6bbb7bcfcef0b373b0502a7ff390275c575dd ]
      
      list_del() leaves the skb->next pointer poisoned, which can then lead to
       a crash in e.g. OVS forwarding.  For example, setting up an OVS VXLAN
       forwarding bridge on sfc as per:
      
      ========
      $ ovs-vsctl show
      5dfd9c47-f04b-4aaa-aa96-4fbb0a522a30
          Bridge "br0"
              Port "br0"
                  Interface "br0"
                      type: internal
              Port "enp6s0f0"
                  Interface "enp6s0f0"
              Port "vxlan0"
                  Interface "vxlan0"
                      type: vxlan
                      options: {key="1", local_ip="10.0.0.5", remote_ip="10.0.0.4"}
          ovs_version: "2.5.0"
      ========
      (where 10.0.0.5 is an address on enp6s0f1)
      and sending traffic across it will lead to the following panic:
      ========
      general protection fault: 0000 [#1] SMP PTI
      CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.20.0-rc3-ehc+ #701
      Hardware name: Dell Inc. PowerEdge R710/0M233H, BIOS 6.4.0 07/23/2013
      RIP: 0010:dev_hard_start_xmit+0x38/0x200
      Code: 53 48 89 fb 48 83 ec 20 48 85 ff 48 89 54 24 08 48 89 4c 24 18 0f 84 ab 01 00 00 48 8d 86 90 00 00 00 48 89 f5 48 89 44 24 10 <4c> 8b 33 48 c7 03 00 00 00 00 48 8b 05 c7 d1 b3 00 4d 85 f6 0f 95
      RSP: 0018:ffff888627b437e0 EFLAGS: 00010202
      RAX: 0000000000000000 RBX: dead000000000100 RCX: ffff88862279c000
      RDX: ffff888614a342c0 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: ffff888618a88000 R08: 0000000000000001 R09: 00000000000003e8
      R10: 0000000000000000 R11: ffff888614a34140 R12: 0000000000000000
      R13: 0000000000000062 R14: dead000000000100 R15: ffff888616430000
      FS:  0000000000000000(0000) GS:ffff888627b40000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007f6d2bc6d000 CR3: 000000000200a000 CR4: 00000000000006e0
      Call Trace:
       <IRQ>
       __dev_queue_xmit+0x623/0x870
       ? masked_flow_lookup+0xf7/0x220 [openvswitch]
       ? ep_poll_callback+0x101/0x310
       do_execute_actions+0xaba/0xaf0 [openvswitch]
       ? __wake_up_common+0x8a/0x150
       ? __wake_up_common_lock+0x87/0xc0
       ? queue_userspace_packet+0x31c/0x5b0 [openvswitch]
       ovs_execute_actions+0x47/0x120 [openvswitch]
       ovs_dp_process_packet+0x7d/0x110 [openvswitch]
       ovs_vport_receive+0x6e/0xd0 [openvswitch]
       ? dst_alloc+0x64/0x90
       ? rt_dst_alloc+0x50/0xd0
       ? ip_route_input_slow+0x19a/0x9a0
       ? __udp_enqueue_schedule_skb+0x198/0x1b0
       ? __udp4_lib_rcv+0x856/0xa30
       ? __udp4_lib_rcv+0x856/0xa30
       ? cpumask_next_and+0x19/0x20
       ? find_busiest_group+0x12d/0xcd0
       netdev_frame_hook+0xce/0x150 [openvswitch]
       __netif_receive_skb_core+0x205/0xae0
       __netif_receive_skb_list_core+0x11e/0x220
       netif_receive_skb_list+0x203/0x460
       ? __efx_rx_packet+0x335/0x5e0 [sfc]
       efx_poll+0x182/0x320 [sfc]
       net_rx_action+0x294/0x3c0
       __do_softirq+0xca/0x297
       irq_exit+0xa6/0xb0
       do_IRQ+0x54/0xd0
       common_interrupt+0xf/0xf
       </IRQ>
      ========
      So, in all listified-receive handling, instead pull skbs off the lists with
       skb_list_del_init().
      
      Fixes: 9af86f93 ("net: core: fix use-after-free in __netif_receive_skb_list_core")
      Fixes: 7da517a3 ("net: core: Another step of skb receive list processing")
      Fixes: a4ca8b7d ("net: ipv4: fix drop handling in ip_list_rcv() and ip_list_rcv_finish()")
      Fixes: d8269e2c ("net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()")
      Signed-off-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7fafda16