1. 29 10月, 2019 40 次提交
    • J
      USB: serial: ti_usb_3410_5052: fix port-close races · edd3e9c7
      Johan Hovold 提交于
      commit 6f1d1dc8d540a9aa6e39b9cb86d3a67bbc1c8d8d upstream.
      
      Fix races between closing a port and opening or closing another port on
      the same device which could lead to a failure to start or stop the
      shared interrupt URB. The latter could potentially cause a
      use-after-free or worse in the completion handler on driver unbind.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      edd3e9c7
    • G
      usb: udc: lpc32xx: fix bad bit shift operation · 068fcbe8
      Gustavo A. R. Silva 提交于
      commit b987b66ac3a2bc2f7b03a0ba48a07dc553100c07 upstream.
      
      It seems that the right variable to use in this case is *i*, instead of
      *n*, otherwise there is an undefined behavior when right shifiting by more
      than 31 bits when multiplying n by 8; notice that *n* can take values
      equal or greater than 4 (4, 8, 16, ...).
      
      Also, notice that under the current conditions (bl = 3), we are skiping
      the handling of bytes 3, 7, 31... So, fix this by updating this logic
      and limit *bl* up to 4 instead of up to 3.
      
      This fix is based on function udc_stuff_fifo().
      
      Addresses-Coverity-ID: 1454834 ("Bad bit shift operation")
      Fixes: 24a28e42 ("USB: gadget driver for LPC32xx")
      Cc: stable@vger.kernel.org
      Signed-off-by: NGustavo A. R. Silva <gustavo@embeddedor.com>
      Link: https://lore.kernel.org/r/20191014191830.GA10721@embeddedorSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      068fcbe8
    • L
      ALSA: hda - Force runtime PM on Nvidia HDMI codecs · 7ed43d2e
      Lukas Wunner 提交于
      commit 94989e318b2f11e217e86bee058088064fa9a2e9 upstream.
      
      Przemysław Kopa reports that since commit b516ea586d71 ("PCI: Enable
      NVIDIA HDA controllers"), the discrete GPU Nvidia GeForce GT 540M on his
      2011 Samsung laptop refuses to runtime suspend, resulting in a power
      regression and excessive heat.
      
      Rivera Valdez witnesses the same issue with a GeForce GT 525M (GF108M)
      of the same era, as does another Arch Linux user named "R0AR" with a
      more recent GeForce GTX 1050 Ti (GP107M).
      
      The commit exposes the discrete GPU's HDA controller and all four codecs
      on the controller do not set the CLKSTOP and EPSS bits in the Supported
      Power States Response.  They also do not set the PS-ClkStopOk bit in the
      Get Power State Response.  hda_codec_runtime_suspend() therefore does
      not call snd_hdac_codec_link_down(), which prevents each codec and the
      PCI device from runtime suspending.
      
      The same issue is present on some AMD discrete GPUs and we addressed it
      by forcing runtime PM despite the bits not being set, see commit
      57cb54e5 ("ALSA: hda - Force to link down at runtime suspend on
      ATI/AMD HDMI").
      
      Do the same for Nvidia HDMI codecs.
      
      Fixes: b516ea586d71 ("PCI: Enable NVIDIA HDA controllers")
      Link: https://bbs.archlinux.org/viewtopic.php?pid=1865512
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=75985#c81Reported-by: NPrzemysław Kopa <prymoo@gmail.com>
      Reported-by: NRivera Valdez <riveravaldez@ysinembargo.com>
      Signed-off-by: NLukas Wunner <lukas@wunner.de>
      Cc: Daniel Drake <dan@reactivated.net>
      Cc: stable@vger.kernel.org # v5.3+
      Link: https://lore.kernel.org/r/3086bc75135c1e3567c5bc4f3cc4ff5cbf7a56c2.1571324194.git.lukas@wunner.deSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7ed43d2e
    • S
      ALSA: usb-audio: Disable quirks for BOSS Katana amplifiers · 7dda7481
      Szabolcs Szőke 提交于
      commit 7571b6a17fcc5e4f6903f065a82d0e38011346ed upstream.
      
      BOSS Katana amplifiers cannot be used for recording or playback if quirks
      are applied
      
      BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=195223Signed-off-by: NSzabolcs Szőke <szszoke.code@gmail.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191011171937.8013-1-szszoke.code@gmail.comSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      7dda7481
    • D
      ALSA: hda/realtek - Enable headset mic on Asus MJ401TA · 6c8a9a46
      Daniel Drake 提交于
      commit 8c8967a7dc01a25f57a0757fdca10987773cd1f2 upstream.
      
      On Asus MJ401TA (with Realtek ALC256), the headset mic is connected to
      pin 0x19, with default configuration value 0x411111f0 (indicating no
      physical connection).
      
      Enable this by quirking the pin. Mic jack detection was also tested and
      found to be working.
      
      This enables use of the headset mic on this product.
      Signed-off-by: NDaniel Drake <drake@endlessm.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lore.kernel.org/r/20191017081501.17135-1-drake@endlessm.comSigned-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6c8a9a46
    • K
      ALSA: hda/realtek - Add support for ALC711 · 30a83eb0
      Kailang Yang 提交于
      commit 83629532ce45ef9df1f297b419b9ea112045685d upstream.
      
      Support new codec ALC711.
      Signed-off-by: NKailang Yang <kailang@realtek.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NTakashi Iwai <tiwai@suse.de>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      30a83eb0
    • J
      USB: legousbtower: fix memleak on disconnect · 5366778b
      Johan Hovold 提交于
      commit b6c03e5f7b463efcafd1ce141bd5a8fc4e583ae2 upstream.
      
      If disconnect() races with release() after a process has been
      interrupted, release() could end up returning early and the driver would
      fail to free its driver data.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: NJohan Hovold <johan@kernel.org>
      Link: https://lore.kernel.org/r/20191010125835.27031-3-johan@kernel.orgSigned-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      5366778b
    • M
      memfd: Fix locking when tagging pins · 99b45e7a
      Matthew Wilcox (Oracle) 提交于
      The RCU lock is insufficient to protect the radix tree iteration as
      a deletion from the tree can occur before we take the spinlock to
      tag the entry.  In 4.19, this has manifested as a bug with the following
      trace:
      
      kernel BUG at lib/radix-tree.c:1429!
      invalid opcode: 0000 [#1] SMP KASAN PTI
      CPU: 7 PID: 6935 Comm: syz-executor.2 Not tainted 4.19.36 #25
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
      RIP: 0010:radix_tree_tag_set+0x200/0x2f0 lib/radix-tree.c:1429
      Code: 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f c3 48 89 44 24 10 e8 a3 29 7e fe 48 8b 44 24 10 48 0f ab 03 e9 d2 fe ff ff e8 90 29 7e fe <0f> 0b 48 c7 c7 e0 5a 87 84 e8 f0 e7 08 ff 4c 89 ef e8 4a ff ac fe
      RSP: 0018:ffff88837b13fb60 EFLAGS: 00010016
      RAX: 0000000000040000 RBX: ffff8883c5515d58 RCX: ffffffff82cb2ef0
      RDX: 0000000000000b72 RSI: ffffc90004cf2000 RDI: ffff8883c5515d98
      RBP: ffff88837b13fb98 R08: ffffed106f627f7e R09: ffffed106f627f7e
      R10: 0000000000000001 R11: ffffed106f627f7d R12: 0000000000000004
      R13: ffffea000d7fea80 R14: 1ffff1106f627f6f R15: 0000000000000002
      FS:  00007fa1b8df2700(0000) GS:ffff8883e2fc0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fa1b8df1db8 CR3: 000000037d4d2001 CR4: 0000000000160ee0
      Call Trace:
       memfd_tag_pins mm/memfd.c:51 [inline]
       memfd_wait_for_pins+0x2c5/0x12d0 mm/memfd.c:81
       memfd_add_seals mm/memfd.c:215 [inline]
       memfd_fcntl+0x33d/0x4a0 mm/memfd.c:247
       do_fcntl+0x589/0xeb0 fs/fcntl.c:421
       __do_sys_fcntl fs/fcntl.c:463 [inline]
       __se_sys_fcntl fs/fcntl.c:448 [inline]
       __x64_sys_fcntl+0x12d/0x180 fs/fcntl.c:448
       do_syscall_64+0xc8/0x580 arch/x86/entry/common.c:293
      
      The problem does not occur in mainline due to the XArray rewrite which
      changed the locking to exclude modification of the tree during iteration.
      At the time, nobody realised this was a bugfix.  Backport the locking
      changes to stable.
      
      Cc: stable@vger.kernel.org
      Reported-by: Nzhong jiang <zhongjiang@huawei.com>
      Signed-off-by: NMatthew Wilcox (Oracle) <willy@infradead.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      99b45e7a
    • X
      sctp: change sctp_prot .no_autobind with true · 2770f80a
      Xin Long 提交于
      [ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ]
      
      syzbot reported a memory leak:
      
        BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
        backtrace:
      
          [...] slab_alloc mm/slab.c:3319 [inline]
          [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
          [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
          [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
          [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
          [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
          [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
          [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
          [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
          [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
          [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
          [...] __do_sys_setsockopt net/socket.c:2100 [inline]
      
      It was caused by when sending msgs without binding a port, in the path:
      inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
      .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
      not. Later when binding another port by sctp_setsockopt_bindx(), a new
      bucket will be created as bp->port is not set.
      
      sctp's autobind is supposed to call sctp_autobind() where it does all
      things including setting bp->port. Since sctp_autobind() is called in
      sctp_sendmsg() if the sk is not yet bound, it should have skipped the
      auto bind.
      
      THis patch is to avoid calling inet_autobind() in inet_send_prepare()
      by changing sctp_prot .no_autobind with true, also remove the unused
      .get_port.
      
      Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2770f80a
    • B
      net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow · cd8c21ca
      Biao Huang 提交于
      [ Upstream commit e497c20e203680aba9ccf7bb475959595908ca7e ]
      
      disable ptp_ref_clk in suspend flow, and enable it in resume flow.
      
      Fixes: f573c0b9 ("stmmac: move stmmac_clk, pclk, clk_ptp_ref and stmmac_rst to platform structure")
      Signed-off-by: NBiao Huang <biao.huang@mediatek.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd8c21ca
    • X
      net: ipv6: fix listify ip6_rcv_finish in case of forwarding · da4f0aed
      Xin Long 提交于
      [ Upstream commit c7a42eb49212f93a800560662d17d5293960d3c3 ]
      
      We need a similar fix for ipv6 as Commit 0761680d ("net: ipv4: fix
      listify ip_rcv_finish in case of forwarding") does for ipv4.
      
      This issue can be reprocuded by syzbot since Commit 323ebb61e32b ("net:
      use listified RX for handling GRO_NORMAL skbs") on net-next. The call
      trace was:
      
        kernel BUG at include/linux/skbuff.h:2225!
        RIP: 0010:__skb_pull include/linux/skbuff.h:2225 [inline]
        RIP: 0010:skb_pull+0xea/0x110 net/core/skbuff.c:1902
        Call Trace:
          sctp_inq_pop+0x2f1/0xd80 net/sctp/inqueue.c:202
          sctp_endpoint_bh_rcv+0x184/0x8d0 net/sctp/endpointola.c:385
          sctp_inq_push+0x1e4/0x280 net/sctp/inqueue.c:80
          sctp_rcv+0x2807/0x3590 net/sctp/input.c:256
          sctp6_rcv+0x17/0x30 net/sctp/ipv6.c:1049
          ip6_protocol_deliver_rcu+0x2fe/0x1660 net/ipv6/ip6_input.c:397
          ip6_input_finish+0x84/0x170 net/ipv6/ip6_input.c:438
          NF_HOOK include/linux/netfilter.h:305 [inline]
          NF_HOOK include/linux/netfilter.h:299 [inline]
          ip6_input+0xe4/0x3f0 net/ipv6/ip6_input.c:447
          dst_input include/net/dst.h:442 [inline]
          ip6_sublist_rcv_finish+0x98/0x1e0 net/ipv6/ip6_input.c:84
          ip6_list_rcv_finish net/ipv6/ip6_input.c:118 [inline]
          ip6_sublist_rcv+0x80c/0xcf0 net/ipv6/ip6_input.c:282
          ipv6_list_rcv+0x373/0x4b0 net/ipv6/ip6_input.c:316
          __netif_receive_skb_list_ptype net/core/dev.c:5049 [inline]
          __netif_receive_skb_list_core+0x5fc/0x9d0 net/core/dev.c:5097
          __netif_receive_skb_list net/core/dev.c:5149 [inline]
          netif_receive_skb_list_internal+0x7eb/0xe60 net/core/dev.c:5244
          gro_normal_list.part.0+0x1e/0xb0 net/core/dev.c:5757
          gro_normal_list net/core/dev.c:5755 [inline]
          gro_normal_one net/core/dev.c:5769 [inline]
          napi_frags_finish net/core/dev.c:5782 [inline]
          napi_gro_frags+0xa6a/0xea0 net/core/dev.c:5855
          tun_get_user+0x2e98/0x3fa0 drivers/net/tun.c:1974
          tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2020
      
      Fixes: d8269e2c ("net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()")
      Fixes: 323ebb61e32b ("net: use listified RX for handling GRO_NORMAL skbs")
      Reported-by: syzbot+eb349eeee854e389c36d@syzkaller.appspotmail.com
      Reported-by: syzbot+4a0643a653ac375612d1@syzkaller.appspotmail.com
      Signed-off-by: NXin Long <lucien.xin@gmail.com>
      Acked-by: NEdward Cree <ecree@solarflare.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da4f0aed
    • C
      net/ibmvnic: Fix EOI when running in XIVE mode. · cc2d858b
      Cédric Le Goater 提交于
      [ Upstream commit 11d49ce9f7946dfed4dcf5dbde865c78058b50ab ]
      
      pSeries machines on POWER9 processors can run with the XICS (legacy)
      interrupt mode or with the XIVE exploitation interrupt mode. These
      interrupt contollers have different interfaces for interrupt
      management : XICS uses hcalls and XIVE loads and stores on a page.
      H_EOI being a XICS interface the enable_scrq_irq() routine can fail
      when the machine runs in XIVE mode.
      
      Fix that by calling the EOI handler of the interrupt chip.
      
      Fixes: f23e0643 ("ibmvnic: Clear pending interrupt after device reset")
      Signed-off-by: NCédric Le Goater <clg@kaod.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cc2d858b
    • T
      net: i82596: fix dma_alloc_attr for sni_82596 · 3f9d4e3c
      Thomas Bogendoerfer 提交于
      [ Upstream commit 61c1d33daf7b5146f44d4363b3322f8cda6a6c43 ]
      
      Commit 7f683b92 ("i825xx: switch to switch to dma_alloc_attrs")
      switched dma allocation over to dma_alloc_attr, but didn't convert
      the SNI part to request consistent DMA memory. This broke sni_82596
      since driver doesn't do dma_cache_sync for performance reasons.
      Fix this by using different DMA_ATTRs for lasi_82596 and sni_82596.
      
      Fixes: 7f683b92 ("i825xx: switch to switch to dma_alloc_attrs")
      Signed-off-by: NThomas Bogendoerfer <tbogendoerfer@suse.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3f9d4e3c
    • F
      net: bcmgenet: Set phydev->dev_flags only for internal PHYs · da0baae9
      Florian Fainelli 提交于
      [ Upstream commit 92696286f3bb37ba50e4bd8d1beb24afb759a799 ]
      
      phydev->dev_flags is entirely dependent on the PHY device driver which
      is going to be used, setting the internal GENET PHY revision in those
      bits only makes sense when drivers/net/phy/bcm7xxx.c is the PHY driver
      being used.
      
      Fixes: 487320c5 ("net: bcmgenet: communicate integrated PHY revision to PHY driver")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NDoug Berger <opendmb@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      da0baae9
    • F
      net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 · c0f5839a
      Florian Fainelli 提交于
      [ Upstream commit efb86fede98cdc70b674692ff617b1162f642c49 ]
      
      The RGMII_MODE_EN bit value was 0 for GENET versions 1 through 3, and
      became 6 for GENET v4 and above, account for that difference.
      
      Fixes: aa09677c ("net: bcmgenet: add MDIO routines")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: NDoug Berger <opendmb@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      c0f5839a
    • E
      net: avoid potential infinite loop in tc_ctl_action() · 16d67aca
      Eric Dumazet 提交于
      [ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ]
      
      tc_ctl_action() has the ability to loop forever if tcf_action_add()
      returns -EAGAIN.
      
      This special case has been done in case a module needed to be loaded,
      but it turns out that tcf_add_notify() could also return -EAGAIN
      if the socket sk_rcvbuf limit is hit.
      
      We need to separate the two cases, and only loop for the module
      loading case.
      
      While we are at it, add a limit of 10 attempts since unbounded
      loops are always scary.
      
      syzbot repro was something like :
      
      socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3
      write(3, ..., 38) = 38
      setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0
      sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...)
      
      NMI backtrace for cpu 0
      CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101
       nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62
       arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
       trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline]
       check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline]
       watchdog+0x9d0/0xef0 kernel/hung_task.c:289
       kthread+0x361/0x430 kernel/kthread.c:255
       ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
      Sending NMI from CPU 0 to CPUs 1:
      NMI backtrace for cpu 1
      CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline]
      RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453
      Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6
      RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046
      RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000
      RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914
      RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1
      R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f
      R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003
      FS:  00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
       _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159
       __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122
       __wake_up+0xe/0x10 kernel/sched/wait.c:142
       netlink_unlock_table net/netlink/af_netlink.c:466 [inline]
       netlink_unlock_table net/netlink/af_netlink.c:463 [inline]
       netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514
       netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534
       rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714
       tcf_add_notify net/sched/act_api.c:1343 [inline]
       tcf_action_add+0x243/0x370 net/sched/act_api.c:1362
       tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410
       rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386
       netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
       rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404
       netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
       netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328
       netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917
       sock_sendmsg_nosec net/socket.c:637 [inline]
       sock_sendmsg+0xd7/0x130 net/socket.c:657
       ___sys_sendmsg+0x803/0x920 net/socket.c:2311
       __sys_sendmsg+0x105/0x1d0 net/socket.c:2356
       __do_sys_sendmsg net/socket.c:2365 [inline]
       __se_sys_sendmsg net/socket.c:2363 [inline]
       __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363
       do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x440939
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      16d67aca
    • S
      ipv4: Return -ENETUNREACH if we can't create route but saddr is valid · 2fa80e64
      Stefano Brivio 提交于
      [ Upstream commit 595e0651d0296bad2491a4a29a7a43eae6328b02 ]
      
      ...instead of -EINVAL. An issue was found with older kernel versions
      while unplugging a NFS client with pending RPCs, and the wrong error
      code here prevented it from recovering once link is back up with a
      configured address.
      
      Incidentally, this is not an issue anymore since commit 4f8943f80883
      ("SUNRPC: Replace direct task wakeups from softirq context"), included
      in 5.2-rc7, had the effect of decoupling the forwarding of this error
      by using SO_ERROR in xs_wake_error(), as pointed out by Benjamin
      Coddington.
      
      To the best of my knowledge, this isn't currently causing any further
      issue, but the error code doesn't look appropriate anyway, and we
      might hit this in other paths as well.
      
      In detail, as analysed by Gonzalo Siero, once the route is deleted
      because the interface is down, and can't be resolved and we return
      -EINVAL here, this ends up, courtesy of inet_sk_rebuild_header(),
      as the socket error seen by tcp_write_err(), called by
      tcp_retransmit_timer().
      
      In turn, tcp_write_err() indirectly calls xs_error_report(), which
      wakes up the RPC pending tasks with a status of -EINVAL. This is then
      seen by call_status() in the SUN RPC implementation, which aborts the
      RPC call calling rpc_exit(), instead of handling this as a
      potentially temporary condition, i.e. as a timeout.
      
      Return -EINVAL only if the input parameters passed to
      ip_route_output_key_hash_rcu() are actually invalid (this is the case
      if the specified source address is multicast, limited broadcast or
      all zeroes), but return -ENETUNREACH in all cases where, at the given
      moment, the given source address doesn't allow resolving the route.
      
      While at it, drop the initialisation of err to -ENETUNREACH, which
      was added to __ip_route_output_key() back then by commit
      0315e382 ("net: Fix behaviour of unreachable, blackhole and
      prohibit routes"), but actually had no effect, as it was, and is,
      overwritten by the fib_lookup() return code assignment, and anyway
      ignored in all other branches, including the if (fl4->saddr) one:
      I find this rather confusing, as it would look like -ENETUNREACH is
      the "default" error, while that statement has no effect.
      
      Also note that after commit fc75fc83 ("ipv4: dont create routes
      on down devices"), we would get -ENETUNREACH if the device is down,
      but -EINVAL if the source address is specified and we can't resolve
      the route, and this appears to be rather inconsistent.
      Reported-by: NStefan Walter <walteste@inf.ethz.ch>
      Analysed-by: NBenjamin Coddington <bcodding@redhat.com>
      Analysed-by: NGonzalo Siero <gsierohu@redhat.com>
      Signed-off-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2fa80e64
    • W
      ipv4: fix race condition between route lookup and invalidation · 2ec0df4e
      Wei Wang 提交于
      [ Upstream commit 5018c59607a511cdee743b629c76206d9c9e6d7b ]
      
      Jesse and Ido reported the following race condition:
      <CPU A, t0> - Received packet A is forwarded and cached dst entry is
      taken from the nexthop ('nhc->nhc_rth_input'). Calls skb_dst_set()
      
      <t1> - Given Jesse has busy routers ("ingesting full BGP routing tables
      from multiple ISPs"), route is added / deleted and rt_cache_flush() is
      called
      
      <CPU B, t2> - Received packet B tries to use the same cached dst entry
      from t0, but rt_cache_valid() is no longer true and it is replaced in
      rt_cache_route() by the newer one. This calls dst_dev_put() on the
      original dst entry which assigns the blackhole netdev to 'dst->dev'
      
      <CPU A, t3> - dst_input(skb) is called on packet A and it is dropped due
      to 'dst->dev' being the blackhole netdev
      
      There are 2 issues in the v4 routing code:
      1. A per-netns counter is used to do the validation of the route. That
      means whenever a route is changed in the netns, users of all routes in
      the netns needs to redo lookup. v6 has an implementation of only
      updating fn_sernum for routes that are affected.
      2. When rt_cache_valid() returns false, rt_cache_route() is called to
      throw away the current cache, and create a new one. This seems
      unnecessary because as long as this route does not change, the route
      cache does not need to be recreated.
      
      To fully solve the above 2 issues, it probably needs quite some code
      changes and requires careful testing, and does not suite for net branch.
      
      So this patch only tries to add the deleted cached rt into the uncached
      list, so user could still be able to use it to receive packets until
      it's done.
      
      Fixes: 95c47f9c ("ipv4: call dst_dev_put() properly")
      Signed-off-by: NWei Wang <weiwan@google.com>
      Reported-by: NIdo Schimmel <idosch@idosch.org>
      Reported-by: NJesse Hathaway <jesse@mbuki-mvuki.org>
      Tested-by: NJesse Hathaway <jesse@mbuki-mvuki.org>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Cc: David Ahern <dsahern@gmail.com>
      Reviewed-by: NIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2ec0df4e
    • Y
      ocfs2: fix panic due to ocfs2_wq is null · 0d3ad773
      Yi Li 提交于
      commit b918c43021baaa3648de09e19a4a3dd555a45f40 upstream.
      
      mount.ocfs2 failed when reading ocfs2 filesystem superblock encounters
      an error.  ocfs2_initialize_super() returns before allocating ocfs2_wq.
      ocfs2_dismount_volume() triggers the following panic.
      
        Oct 15 16:09:27 cnwarekv-205120 kernel: On-disk corruption discovered.Please run fsck.ocfs2 once the filesystem is unmounted.
        Oct 15 16:09:27 cnwarekv-205120 kernel: (mount.ocfs2,22804,44): ocfs2_read_locked_inode:537 ERROR: status = -30
        Oct 15 16:09:27 cnwarekv-205120 kernel: (mount.ocfs2,22804,44): ocfs2_init_global_system_inodes:458 ERROR: status = -30
        Oct 15 16:09:27 cnwarekv-205120 kernel: (mount.ocfs2,22804,44): ocfs2_init_global_system_inodes:491 ERROR: status = -30
        Oct 15 16:09:27 cnwarekv-205120 kernel: (mount.ocfs2,22804,44): ocfs2_initialize_super:2313 ERROR: status = -30
        Oct 15 16:09:27 cnwarekv-205120 kernel: (mount.ocfs2,22804,44): ocfs2_fill_super:1033 ERROR: status = -30
        ------------[ cut here ]------------
        Oops: 0002 [#1] SMP NOPTI
        CPU: 1 PID: 11753 Comm: mount.ocfs2 Tainted: G  E
              4.14.148-200.ckv.x86_64 #1
        Hardware name: Sugon H320-G30/35N16-US, BIOS 0SSDX017 12/21/2018
        task: ffff967af0520000 task.stack: ffffa5f05484000
        RIP: 0010:mutex_lock+0x19/0x20
        Call Trace:
          flush_workqueue+0x81/0x460
          ocfs2_shutdown_local_alloc+0x47/0x440 [ocfs2]
          ocfs2_dismount_volume+0x84/0x400 [ocfs2]
          ocfs2_fill_super+0xa4/0x1270 [ocfs2]
          ? ocfs2_initialize_super.isa.211+0xf20/0xf20 [ocfs2]
          mount_bdev+0x17f/0x1c0
          mount_fs+0x3a/0x160
      
      Link: http://lkml.kernel.org/r/1571139611-24107-1-git-send-email-yili@winhong.comSigned-off-by: NYi Li <yilikernel@gmail.com>
      Reviewed-by: NJoseph Qi <joseph.qi@linux.alibaba.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Changwei Ge <gechangwei@live.cn>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0d3ad773
    • A
      Revert "drm/radeon: Fix EEH during kexec" · 0933b0db
      Alex Deucher 提交于
      [ Upstream commit 8d13c187c42e110625d60094668a8f778c092879 ]
      
      This reverts commit 6f7fe9a93e6c09bf988c5059403f5f88e17e21e6.
      
      This breaks some boards.  Maybe just enable this on PPC for
      now?
      
      Bug: https://bugzilla.kernel.org/show_bug.cgi?id=205147Signed-off-by: NAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0933b0db
    • S
      md/raid0: fix warning message for parameter default_layout · 9457994a
      Song Liu 提交于
      [ Upstream commit 3874d73e06c9b9dc15de0b7382fc223986d75571 ]
      
      The message should match the parameter, i.e. raid0.default_layout.
      
      Fixes: c84a1372df92 ("md/raid0: avoid RAID0 data corruption due to layout confusion.")
      Cc: NeilBrown <neilb@suse.de>
      Reported-by: NIvan Topolsky <doktor.yak@gmail.com>
      Signed-off-by: NSong Liu <songliubraving@fb.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9457994a
    • D
      libata/ahci: Fix PCS quirk application · 51f0c108
      Dan Williams 提交于
      [ Upstream commit 09d6ac8dc51a033ae0043c1fe40b4d02563c2496 ]
      
      Commit c312ef176399 "libata/ahci: Drop PCS quirk for Denverton and
      beyond" got the polarity wrong on the check for which board-ids should
      have the quirk applied. The board type board_ahci_pcs7 is defined at the
      end of the list such that "pcs7" boards can be special cased in the
      future if they need the quirk. All prior Intel board ids "<
      board_ahci_pcs7" should proceed with applying the quirk.
      Reported-by: NAndreas Friedrich <afrie@gmx.net>
      Reported-by: NStephen Douthit <stephend@silicom-usa.com>
      Fixes: c312ef176399 ("libata/ahci: Drop PCS quirk for Denverton and beyond")
      Cc: <stable@vger.kernel.org>
      Signed-off-by: NDan Williams <dan.j.williams@intel.com>
      Signed-off-by: NJens Axboe <axboe@kernel.dk>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      51f0c108
    • J
      namespace: fix namespace.pl script to support relative paths · 9bc5a4db
      Jacob Keller 提交于
      [ Upstream commit 82fdd12b95727640c9a8233c09d602e4518e71f7 ]
      
      The namespace.pl script does not work properly if objtree is not set to
      an absolute path. The do_nm function is run from within the find
      function, which changes directories.
      
      Because of this, appending objtree, $File::Find::dir, and $source, will
      return a path which is not valid from the current directory.
      
      This used to work when objtree was set to an absolute path when using
      "make namespacecheck". It appears to have not worked when calling
      ./scripts/namespace.pl directly.
      
      This behavior was changed in 7e1c0477 ("kbuild: Use relative path
      for $(objtree)", 2014-05-14)
      
      Rather than fixing the Makefile to set objtree to an absolute path, just
      fix namespace.pl to work when srctree and objtree are relative. Also fix
      the script to use an absolute path for these by default.
      
      Use the File::Spec module for this purpose. It's been part of perl
      5 since 5.005.
      
      The curdir() function is used to get the current directory when the
      objtree and srctree aren't set in the environment.
      
      rel2abs() is used to convert possibly relative objtree and srctree
      environment variables to absolute paths.
      
      Finally, the catfile() function is used instead of string appending
      paths together, since this is more robust when joining paths together.
      Signed-off-by: NJacob Keller <jacob.e.keller@intel.com>
      Acked-by: NRandy Dunlap <rdunlap@infradead.org>
      Tested-by: NRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: NMasahiro Yamada <yamada.masahiro@socionext.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      9bc5a4db
    • K
      r8152: Set macpassthru in reset_resume callback · 6acbcd14
      Kai-Heng Feng 提交于
      [ Upstream commit a54cdeeb04fc719e4c7f19d6e28dba7ea86cee5b ]
      
      r8152 may fail to establish network connection after resume from system
      suspend.
      
      If the USB port connects to r8152 lost its power during system suspend,
      the MAC address was written before is lost. The reason is that The MAC
      address doesn't get written again in its reset_resume callback.
      
      So let's set MAC address again in reset_resume callback. Also remove
      unnecessary lock as no other locking attempt will happen during
      reset_resume.
      Signed-off-by: NKai-Heng Feng <kai.heng.feng@canonical.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6acbcd14
    • R
      lib: textsearch: fix escapes in example code · 0cb5c7b0
      Randy Dunlap 提交于
      [ Upstream commit 2105b52e30debe7f19f3218598d8ae777dcc6776 ]
      
      This textsearch code example does not need the '\' escapes and they can
      be misleading to someone reading the example. Also, gcc and sparse warn
      that the "\%d" is an unknown escape sequence.
      
      Fixes: 5968a70d ("textsearch: fix kernel-doc warnings and add kernel-api section")
      Signed-off-by: NRandy Dunlap <rdunlap@infradead.org>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      0cb5c7b0
    • Y
      net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() · 50699af3
      Yizhuo 提交于
      [ Upstream commit 53de429f4e88f538f7a8ec2b18be8c0cd9b2c8e1 ]
      
      In function mdio_sc_cfg_reg_write(), variable "reg_value" could be
      uninitialized if regmap_read() fails. However, "reg_value" is used
      to decide the control flow later in the if statement, which is
      potentially unsafe.
      Signed-off-by: NYizhuo <yzhai003@ucr.edu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      50699af3
    • C
      mips: Loongson: Fix the link time qualifier of 'serial_exit()' · db1e664e
      Christophe JAILLET 提交于
      [ Upstream commit 25b69a889b638b0b7e51e2c4fe717a66bec0e566 ]
      
      'exit' functions should be marked as __exit, not __init.
      
      Fixes: 85cc0288 ("mips: make loongsoon serial driver explicitly modular")
      Signed-off-by: NChristophe JAILLET <christophe.jaillet@wanadoo.fr>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: chenhc@lemote.com
      Cc: ralf@linux-mips.org
      Cc: jhogan@kernel.org
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Cc: kernel-janitors@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      db1e664e
    • W
      net: dsa: rtl8366rb: add missing of_node_put after calling of_get_child_by_name · b43bf6b1
      Wen Yang 提交于
      [ Upstream commit f32eb9d80470dab05df26b6efd02d653c72e6a11 ]
      
      of_node_put needs to be called when the device node which is got
      from of_get_child_by_name finished using.
      irq_domain_add_linear() also calls of_node_get() to increase refcount,
      so irq_domain will not be affected when it is released.
      
      Fixes: d8652956 ("net: dsa: realtek-smi: Add Realtek SMI driver")
      Signed-off-by: NWen Yang <wenyang@linux.alibaba.com>
      Cc: Linus Walleij <linus.walleij@linaro.org>
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Vivien Didelot <vivien.didelot@gmail.com>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: netdev@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reviewed-by: NLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      b43bf6b1
    • P
      netfilter: nft_connlimit: disable bh on garbage collection · a16a9c10
      Pablo Neira Ayuso 提交于
      [ Upstream commit 34a4c95abd25ab41fb390b985a08a651b1fa0b0f ]
      
      BH must be disabled when invoking nf_conncount_gc_list() to perform
      garbage collection, otherwise deadlock might happen.
      
        nf_conncount_add+0x1f/0x50 [nf_conncount]
        nft_connlimit_eval+0x4c/0xe0 [nft_connlimit]
        nft_dynset_eval+0xb5/0x100 [nf_tables]
        nft_do_chain+0xea/0x420 [nf_tables]
        ? sch_direct_xmit+0x111/0x360
        ? noqueue_init+0x10/0x10
        ? __qdisc_run+0x84/0x510
        ? tcp_packet+0x655/0x1610 [nf_conntrack]
        ? ip_finish_output2+0x1a7/0x430
        ? tcp_error+0x130/0x150 [nf_conntrack]
        ? nf_conntrack_in+0x1fc/0x4c0 [nf_conntrack]
        nft_do_chain_ipv4+0x66/0x80 [nf_tables]
        nf_hook_slow+0x44/0xc0
        ip_rcv+0xb5/0xd0
        ? ip_rcv_finish_core.isra.19+0x360/0x360
        __netif_receive_skb_one_core+0x52/0x70
        netif_receive_skb_internal+0x34/0xe0
        napi_gro_receive+0xba/0xe0
        e1000_clean_rx_irq+0x1e9/0x420 [e1000e]
        e1000e_poll+0xbe/0x290 [e1000e]
        net_rx_action+0x149/0x3b0
        __do_softirq+0xde/0x2d8
        irq_exit+0xba/0xc0
        do_IRQ+0x85/0xd0
        common_interrupt+0xf/0xf
        </IRQ>
        RIP: 0010:nf_conncount_gc_list+0x3b/0x130 [nf_conncount]
      
      Fixes: 2f971a8f4255 ("netfilter: nf_conncount: move all list iterations under spinlock")
      Reported-by: NLaura Garcia Liebana <nevola@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a16a9c10
    • M
      mac80211: fix txq null pointer dereference · 13104599
      Miaoqing Pan 提交于
      [ Upstream commit 8ed31a264065ae92058ce54aa3cc8da8d81dc6d7 ]
      
      If the interface type is P2P_DEVICE or NAN, read the file of
      '/sys/kernel/debug/ieee80211/phyx/netdev:wlanx/aqm' will get a
      NULL pointer dereference. As for those interface type, the
      pointer sdata->vif.txq is NULL.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000011
      CPU: 1 PID: 30936 Comm: cat Not tainted 4.14.104 #1
      task: ffffffc0337e4880 task.stack: ffffff800cd20000
      PC is at ieee80211_if_fmt_aqm+0x34/0xa0 [mac80211]
      LR is at ieee80211_if_fmt_aqm+0x34/0xa0 [mac80211]
      [...]
      Process cat (pid: 30936, stack limit = 0xffffff800cd20000)
      [...]
      [<ffffff8000b7cd00>] ieee80211_if_fmt_aqm+0x34/0xa0 [mac80211]
      [<ffffff8000b7c414>] ieee80211_if_read+0x60/0xbc [mac80211]
      [<ffffff8000b7ccc4>] ieee80211_if_read_aqm+0x28/0x30 [mac80211]
      [<ffffff80082eff94>] full_proxy_read+0x2c/0x48
      [<ffffff80081eef00>] __vfs_read+0x2c/0xd4
      [<ffffff80081ef084>] vfs_read+0x8c/0x108
      [<ffffff80081ef494>] SyS_read+0x40/0x7c
      Signed-off-by: NMiaoqing Pan <miaoqing@codeaurora.org>
      Acked-by: NToke Høiland-Jørgensen <toke@redhat.com>
      Link: https://lore.kernel.org/r/1569549796-8223-1-git-send-email-miaoqing@codeaurora.org
      [trim useless data from commit message]
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      13104599
    • M
      nl80211: fix null pointer dereference · 09c5a5bb
      Miaoqing Pan 提交于
      [ Upstream commit b501426cf86e70649c983c52f4c823b3c40d72a3 ]
      
      If the interface is not in MESH mode, the command 'iw wlanx mpath del'
      will cause kernel panic.
      
      The root cause is null pointer access in mpp_flush_by_proxy(), as the
      pointer 'sdata->u.mesh.mpp_paths' is NULL for non MESH interface.
      
      Unable to handle kernel NULL pointer dereference at virtual address 00000068
      [...]
      PC is at _raw_spin_lock_bh+0x20/0x5c
      LR is at mesh_path_del+0x1c/0x17c [mac80211]
      [...]
      Process iw (pid: 4537, stack limit = 0xd83e0238)
      [...]
      [<c021211c>] (_raw_spin_lock_bh) from [<bf8c7648>] (mesh_path_del+0x1c/0x17c [mac80211])
      [<bf8c7648>] (mesh_path_del [mac80211]) from [<bf6cdb7c>] (extack_doit+0x20/0x68 [compat])
      [<bf6cdb7c>] (extack_doit [compat]) from [<c05c309c>] (genl_rcv_msg+0x274/0x30c)
      [<c05c309c>] (genl_rcv_msg) from [<c05c25d8>] (netlink_rcv_skb+0x58/0xac)
      [<c05c25d8>] (netlink_rcv_skb) from [<c05c2e14>] (genl_rcv+0x20/0x34)
      [<c05c2e14>] (genl_rcv) from [<c05c1f90>] (netlink_unicast+0x11c/0x204)
      [<c05c1f90>] (netlink_unicast) from [<c05c2420>] (netlink_sendmsg+0x30c/0x370)
      [<c05c2420>] (netlink_sendmsg) from [<c05886d0>] (sock_sendmsg+0x70/0x84)
      [<c05886d0>] (sock_sendmsg) from [<c0589f4c>] (___sys_sendmsg.part.3+0x188/0x228)
      [<c0589f4c>] (___sys_sendmsg.part.3) from [<c058add4>] (__sys_sendmsg+0x4c/0x70)
      [<c058add4>] (__sys_sendmsg) from [<c0208c80>] (ret_fast_syscall+0x0/0x44)
      Code: e2822c02 e2822001 e5832004 f590f000 (e1902f9f)
      ---[ end trace bbd717600f8f884d ]---
      Signed-off-by: NMiaoqing Pan <miaoqing@codeaurora.org>
      Link: https://lore.kernel.org/r/1569485810-761-1-git-send-email-miaoqing@codeaurora.org
      [trim useless data from commit message]
      Signed-off-by: NJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      09c5a5bb
    • R
      xen/efi: Set nonblocking callbacks · 90a886b6
      Ross Lagerwall 提交于
      [ Upstream commit df359f0d09dc029829b66322707a2f558cb720f7 ]
      
      Other parts of the kernel expect these nonblocking EFI callbacks to
      exist and crash when running under Xen. Since the implementations of
      xen_efi_set_variable() and xen_efi_query_variable_info() do not take any
      locks, use them for the nonblocking callbacks too.
      Signed-off-by: NRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NJuergen Gross <jgross@suse.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      90a886b6
    • O
      MIPS: dts: ar9331: fix interrupt-controller size · 5d880444
      Oleksij Rempel 提交于
      [ Upstream commit 0889d07f3e4b171c453b2aaf2b257f9074cdf624 ]
      
      It is two registers each of 4 byte.
      Signed-off-by: NOleksij Rempel <o.rempel@pengutronix.de>
      Signed-off-by: NPaul Burton <paul.burton@mips.com>
      Cc: Rob Herring <robh+dt@kernel.org>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
      Cc: Ralf Baechle <ralf@linux-mips.org>
      Cc: James Hogan <jhogan@kernel.org>
      Cc: devicetree@vger.kernel.org
      Cc: linux-mips@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      5d880444
    • M
      net: dsa: qca8k: Use up to 7 ports for all operations · 6d0da953
      Michal Vokáč 提交于
      [ Upstream commit 7ae6d93c8f052b7a77ba56ed0f654e22a2876739 ]
      
      The QCA8K family supports up to 7 ports. So use the existing
      QCA8K_NUM_PORTS define to allocate the switch structure and limit all
      operations with the switch ports.
      
      This was not an issue until commit 0394a63acfe2 ("net: dsa: enable and
      disable all ports") disabled all unused ports. Since the unused ports 7-11
      are outside of the correct register range on this switch some registers
      were rewritten with invalid content.
      
      Fixes: 6b93fb46 ("net-next: dsa: add new driver for qca8xxx family")
      Fixes: a0c02161 ("net: dsa: variable number of ports")
      Fixes: 0394a63acfe2 ("net: dsa: enable and disable all ports")
      Signed-off-by: NMichal Vokáč <michal.vokac@ysoft.com>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      6d0da953
    • P
      ARM: dts: am4372: Set memory bandwidth limit for DISPC · 1cd24f5e
      Peter Ujfalusi 提交于
      [ Upstream commit f90ec6cdf674248dcad85bf9af6e064bf472b841 ]
      
      Set memory bandwidth limit to filter out resolutions above 720p@60Hz to
      avoid underflow errors due to the bandwidth needs of higher resolutions.
      
      am43xx can not provide enough bandwidth to DISPC to correctly handle
      'high' resolutions.
      Signed-off-by: NPeter Ujfalusi <peter.ujfalusi@ti.com>
      Signed-off-by: NTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      1cd24f5e
    • N
      ieee802154: ca8210: prevent memory leak · 96001921
      Navid Emamdoost 提交于
      [ Upstream commit 6402939ec86eaf226c8b8ae00ed983936b164908 ]
      
      In ca8210_probe the allocated pdata needs to be assigned to
      spi_device->dev.platform_data before calling ca8210_get_platform_data.
      Othrwise when ca8210_get_platform_data fails pdata cannot be released.
      Signed-off-by: NNavid Emamdoost <navid.emamdoost@gmail.com>
      Link: https://lore.kernel.org/r/20190917224713.26371-1-navid.emamdoost@gmail.comSigned-off-by: NStefan Schmidt <stefan@datenfreihafen.org>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      96001921
    • T
      ARM: OMAP2+: Fix warnings with broken omap2_set_init_voltage() · ec3817c6
      Tony Lindgren 提交于
      [ Upstream commit cf395f7ddb9ebc6b2d28d83b53d18aa4e7c19701 ]
      
      This code is currently unable to find the dts opp tables as ti-cpufreq
      needs to set them up first based on speed binning.
      
      We stopped initializing the opp tables with platform code years ago for
      device tree based booting with commit 92d51856 ("ARM: OMAP3+: do not
      register non-dt OPP tables for device tree boot"), and all of mach-omap2
      is now booting using device tree.
      
      We currently get the following errors on init:
      
      omap2_set_init_voltage: unable to find boot up OPP for vdd_mpu
      omap2_set_init_voltage: unable to set vdd_mpu
      omap2_set_init_voltage: unable to find boot up OPP for vdd_core
      omap2_set_init_voltage: unable to set vdd_core
      omap2_set_init_voltage: unable to find boot up OPP for vdd_iva
      omap2_set_init_voltage: unable to set vdd_iva
      
      Let's just drop the unused code. Nowadays ti-cpufreq should be used to
      to initialize things properly.
      
      Cc: Adam Ford <aford173@gmail.com>
      Cc: André Roth <neolynx@gmail.com>
      Cc: "H. Nikolaus Schaller" <hns@goldelico.com>
      Cc: Nishanth Menon <nm@ti.com>
      Cc: Tero Kristo <t-kristo@ti.com>
      Tested-by: Adam Ford <aford173@gmail.com> #logicpd-torpedo-37xx-devkit
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      ec3817c6
    • T
      ARM: OMAP2+: Fix missing reset done flag for am3 and am43 · a23cd06c
      Tony Lindgren 提交于
      [ Upstream commit 8ad8041b98c665b6147e607b749586d6e20ba73a ]
      
      For ti,sysc-omap4 compatible devices with no sysstatus register, we do have
      reset done status available in the SOFTRESET bit that clears when the reset
      is done. This is documented for example in am437x TRM for DMTIMER_TIOCP_CFG
      register. The am335x TRM just says that SOFTRESET bit value 1 means reset is
      ongoing, but it behaves the same way clearing after reset is done.
      
      With the ti-sysc driver handling this automatically based on no sysstatus
      register defined, we see warnings if SYSC_HAS_RESET_STATUS is missing in the
      legacy platform data:
      
      ti-sysc 48042000.target-module: sysc_flags 00000222 != 00000022
      ti-sysc 48044000.target-module: sysc_flags 00000222 != 00000022
      ti-sysc 48046000.target-module: sysc_flags 00000222 != 00000022
      ...
      
      Let's fix these warnings by adding SYSC_HAS_RESET_STATUS. Let's also
      remove the useless parentheses while at it.
      
      If it turns out we do have ti,sysc-omap4 compatible devices without a
      working SOFTRESET bit we can set up additional quirk handling for it.
      Signed-off-by: NTony Lindgren <tony@atomide.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      a23cd06c
    • Q
      scsi: qla2xxx: Fix unbound sleep in fcport delete path. · fcff55e2
      Quinn Tran 提交于
      [ Upstream commit c3b6a1d397420a0fdd97af2f06abfb78adc370df ]
      
      There are instances, though rare, where a LOGO request cannot be sent out
      and the thread in free session done can wait indefinitely. Fix this by
      putting an upper bound to sleep.
      
      Link: https://lore.kernel.org/r/20190912180918.6436-3-hmadhani@marvell.comSigned-off-by: NQuinn Tran <qutran@marvell.com>
      Signed-off-by: NHimanshu Madhani <hmadhani@marvell.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      fcff55e2
    • X
      scsi: megaraid: disable device when probe failed after enabled device · c3d475c7
      Xiang Chen 提交于
      [ Upstream commit 70054aa39a013fa52eff432f2223b8bd5c0048f8 ]
      
      For pci device, need to disable device when probe failed after enabled
      device.
      
      Link: https://lore.kernel.org/r/1567818450-173315-1-git-send-email-chenxiang66@hisilicon.comSigned-off-by: NXiang Chen <chenxiang66@hisilicon.com>
      Reviewed-by: NJohn Garry <john.garry@huawei.com>
      Signed-off-by: NMartin K. Petersen <martin.petersen@oracle.com>
      Signed-off-by: NSasha Levin <sashal@kernel.org>
      c3d475c7