1. 22 Aug, 2018 36 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.18.4 · 28b2837b
      Greg Kroah-Hartman authored
      28b2837b
    • Hangbin Liu's avatar
      cls_matchall: fix tcf_unbind_filter missing · b1246ef7
      Hangbin Liu authored
      [ Upstream commit a51c76b4 ]
      
      Fix tcf_unbind_filter missing in cls_matchall as this will trigger
      WARN_ON() in cbq_destroy_class().
      
      Fixes: fd62d9f5
      
       ("net/sched: matchall: Fix configuration race")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b1246ef7
    • Jisheng Zhang's avatar
      net: mvneta: fix mvneta_config_rss on armada 3700 · ffbc6163
      Jisheng Zhang authored
      [ Upstream commit 0f5c6c30
      
       ]
      
      The mvneta Ethernet driver is used on a few different Marvell SoCs.
      Some SoCs have per cpu interrupts for Ethernet events, the driver uses
      a per CPU napi structure for this case. Some SoCs such as armada 3700
      have a single interrupt for Ethernet events, the driver uses a global
      napi structure for this case.
      
      Current mvneta_config_rss() always operates the per cpu napi structure.
      Fix it by operating a global napi for "single interrupt" case, and per
      cpu napi structure for remaining cases.
      Signed-off-by: default avatarJisheng Zhang <Jisheng.Zhang@synaptics.com>
      Fixes: 2636ac3c
      
       ("net: mvneta: Add network support for Armada 3700 SoC")
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      ffbc6163
    • Andrew Lunn's avatar
      net: ethernet: mvneta: Fix napi structure mixup on armada 3700 · 298f83fe
      Andrew Lunn authored
      [ Upstream commit 7a86f05f
      
       ]
      
      The mvneta Ethernet driver is used on a few different Marvell SoCs.
      Some SoCs have per cpu interrupts for Ethernet events. Some SoCs have
      a single interrupt, independent of the CPU. The driver handles this by
      having a per CPU napi structure when there are per CPU interrupts, and
      a global napi structure when there is a single interrupt.
      
      When the napi core calls mvneta_poll(), it passes the napi
      instance. This was not being propagated through the call chain, and
      instead the per-cpu napi instance was passed to napi_gro_receive()
      call. This breaks when there is a single global napi instance.
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Fixes: 2636ac3c
      
       ("net: mvneta: Add network support for Armada 3700 SoC")
      Signed-off-by: default avatarGregory CLEMENT <gregory.clement@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      298f83fe
    • Haishuang Yan's avatar
      ip_vti: fix a null pointer deferrence when create vti fallback tunnel · 043b985f
      Haishuang Yan authored
      [ Upstream commit cd1aa9c2 ]
      
      After set fb_tunnels_only_for_init_net to 1, the itn->fb_tunnel_dev will
      be NULL and will cause following crash:
      
      [ 2742.849298] BUG: unable to handle kernel NULL pointer dereference at 0000000000000941
      [ 2742.851380] PGD 800000042c21a067 P4D 800000042c21a067 PUD 42aaed067 PMD 0
      [ 2742.852818] Oops: 0002 [#1] SMP PTI
      [ 2742.853570] CPU: 7 PID: 2484 Comm: unshare Kdump: loaded Not tainted 4.18.0-rc8+ #2
      [ 2742.855163] Hardware name: Fedora Project OpenStack Nova, BIOS seabios-1.7.5-11.el7 04/01/2014
      [ 2742.856970] RIP: 0010:vti_init_net+0x3a/0x50 [ip_vti]
      [ 2742.858034] Code: 90 83 c0 48 c7 c2 20 a1 83 c0 48 89 fb e8 6e 3b f6 ff 85 c0 75 22 8b 0d f4 19 00 00 48 8b 93 00 14 00 00 48 8b 14 ca 48 8b 12 <c6> 82 41 09 00 00 04 c6 82 38 09 00 00 45 5b c3 66 0f 1f 44 00 00
      [ 2742.861940] RSP: 0018:ffff9be28207fde0 EFLAGS: 00010246
      [ 2742.863044] RAX: 0000000000000000 RBX: ffff8a71ebed4980 RCX: 0000000000000013
      [ 2742.864540] RDX: 0000000000000000 RSI: 0000000000000013 RDI: ffff8a71ebed4980
      [ 2742.866020] RBP: ffff8a71ea717000 R08: ffffffffc083903c R09: ffff8a71ea717000
      [ 2742.867505] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8a71ebed4980
      [ 2742.868987] R13: 0000000000000013 R14: ffff8a71ea5b49c0 R15: 0000000000000000
      [ 2742.870473] FS:  00007f02266c9740(0000) GS:ffff8a71ffdc0000(0000) knlGS:0000000000000000
      [ 2742.872143] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [ 2742.873340] CR2: 0000000000000941 CR3: 000000042bc20006 CR4: 00000000001606e0
      [ 2742.874821] Call Trace:
      [ 2742.875358]  ops_init+0x38/0xf0
      [ 2742.876078]  setup_net+0xd9/0x1f0
      [ 2742.876789]  copy_net_ns+0xb7/0x130
      [ 2742.877538]  create_new_namespaces+0x11a/0x1d0
      [ 2742.878525]  unshare_nsproxy_namespaces+0x55/0xa0
      [ 2742.879526]  ksys_unshare+0x1a7/0x330
      [ 2742.880313]  __x64_sys_unshare+0xe/0x20
      [ 2742.881131]  do_syscall_64+0x5b/0x180
      [ 2742.881933]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Reproduce:
      echo 1 > /proc/sys/net/core/fb_tunnels_only_for_init_net
      modprobe ip_vti
      unshare -n
      
      Fixes: 79134e6c
      
       ("net: do not create fallback tunnels for non-default namespaces")
      Cc: Eric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      043b985f
    • Jian-Hong Pan's avatar
      r8169: don't use MSI-X on RTL8106e · 63d60df1
      Jian-Hong Pan authored
      [ Upstream commit 7bb05b85 ]
      
      Found the ethernet network on ASUS X441UAR doesn't come back on resume
      from suspend when using MSI-X.  The chip is RTL8106e - version 39.
      
      [   21.848357] libphy: r8169: probed
      [   21.848473] r8169 0000:02:00.0 eth0: RTL8106e, 0c:9d:92:32:67:b4, XID
      44900000, IRQ 127
      [   22.518860] r8169 0000:02:00.0 enp2s0: renamed from eth0
      [   29.458041] Generic PHY r8169-200:00: attached PHY driver [Generic
      PHY] (mii_bus:phy_addr=r8169-200:00, irq=IGNORE)
      [   63.227398] r8169 0000:02:00.0 enp2s0: Link is Up - 100Mbps/Full -
      flow control off
      [  124.514648] Generic PHY r8169-200:00: attached PHY driver [Generic
      PHY] (mii_bus:phy_addr=r8169-200:00, irq=IGNORE)
      
      Here is the ethernet controller in detail:
      
      02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
      RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller [10ec:8136]
      (rev 07)
      	Subsystem: ASUSTeK Computer Inc. RTL810xE PCI Express Fast
      Ethernet controller [1043:200f]
      	Flags: bus master, fast devsel, latency 0, IRQ 16
      	I/O ports at e000 [size=256]
      	Memory at ef100000 (64-bit, non-prefetchable) [size=4K]
      	Memory at e0000000 (64-bit, prefetchable) [size=16K]
      	Capabilities: <access denied>
      	Kernel driver in use: r8169
      	Kernel modules: r8169
      
      Falling back to MSI fixes the issue.
      
      Fixes: 6c6aa15f
      
       ("r8169: improve interrupt handling")
      Signed-off-by: default avatarJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      63d60df1
    • Takashi Iwai's avatar
      hv/netvsc: Fix NULL dereference at single queue mode fallback · 6f560142
      Takashi Iwai authored
      [ Upstream commit b19b4634 ]
      
      The recent commit 916c5e14 ("hv/netvsc: fix handling of fallback
      to single queue mode") tried to fix the fallback behavior to a single
      queue mode, but it changed the function to return zero incorrectly,
      while the function should return an object pointer.  Eventually this
      leads to a NULL dereference at the callers that expect non-NULL
      value.
      
      Fix it by returning the proper net_device object.
      
      Fixes: 916c5e14
      
       ("hv/netvsc: fix handling of fallback to single queue mode")
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Reviewed-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6f560142
    • Jeremy Cline's avatar
      net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() · cd0fb1cb
      Jeremy Cline authored
      [ Upstream commit 66b51b0a ]
      
      req->sdiag_family is a user-controlled value that's used as an array
      index. Sanitize it after the bounds check to avoid speculative
      out-of-bounds array access.
      
      This also protects the sock_is_registered() call, so this removes the
      sanitize call there.
      
      Fixes: e978de7a
      
       ("net: socket: Fix potential spectre v1 gadget in sock_is_registered")
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: konrad.wilk@oracle.com
      Cc: jamie.iles@oracle.com
      Cc: liran.alon@oracle.com
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeremy Cline <jcline@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      cd0fb1cb
    • Kees Cook's avatar
      isdn: Disable IIOCDBGVAR · 3909ccf1
      Kees Cook authored
      [ Upstream commit 5e22002a
      
       ]
      
      It was possible to directly leak the kernel address where the isdn_dev
      structure pointer was stored. This is a kernel ASLR bypass for anyone
      with access to the ioctl. The code had been present since the beginning
      of git history, though this shouldn't ever be needed for normal operation,
      therefore remove it.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Karsten Keil <isdn@linux-pingi.de>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      3909ccf1
    • Sudip Mukherjee's avatar
      Bluetooth: avoid killing an already killed socket · 2b9ffbf2
      Sudip Mukherjee authored
      commit 4e1a720d
      
       upstream.
      
      slub debug reported:
      
      [  440.648642] =============================================================================
      [  440.648649] BUG kmalloc-1024 (Tainted: G    BU     O   ): Poison overwritten
      [  440.648651] -----------------------------------------------------------------------------
      
      [  440.648655] INFO: 0xe70f4bec-0xe70f4bec. First byte 0x6a instead of 0x6b
      [  440.648665] INFO: Allocated in sk_prot_alloc+0x6b/0xc6 age=33155 cpu=1 pid=1047
      [  440.648671] 	___slab_alloc.constprop.24+0x1fc/0x292
      [  440.648675] 	__slab_alloc.isra.18.constprop.23+0x1c/0x25
      [  440.648677] 	__kmalloc+0xb6/0x17f
      [  440.648680] 	sk_prot_alloc+0x6b/0xc6
      [  440.648683] 	sk_alloc+0x1e/0xa1
      [  440.648700] 	sco_sock_alloc.constprop.6+0x26/0xaf [bluetooth]
      [  440.648716] 	sco_connect_cfm+0x166/0x281 [bluetooth]
      [  440.648731] 	hci_conn_request_evt.isra.53+0x258/0x281 [bluetooth]
      [  440.648746] 	hci_event_packet+0x28b/0x2326 [bluetooth]
      [  440.648759] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648764] 	process_one_work+0x163/0x2b2
      [  440.648767] 	worker_thread+0x1a9/0x25c
      [  440.648770] 	kthread+0xf8/0xfd
      [  440.648774] 	ret_from_fork+0x2e/0x38
      [  440.648779] INFO: Freed in __sk_destruct+0xd3/0xdf age=3815 cpu=1 pid=1047
      [  440.648782] 	__slab_free+0x4b/0x27a
      [  440.648784] 	kfree+0x12e/0x155
      [  440.648787] 	__sk_destruct+0xd3/0xdf
      [  440.648790] 	sk_destruct+0x27/0x29
      [  440.648793] 	__sk_free+0x75/0x91
      [  440.648795] 	sk_free+0x1c/0x1e
      [  440.648810] 	sco_sock_kill+0x5a/0x5f [bluetooth]
      [  440.648825] 	sco_conn_del+0x8e/0xba [bluetooth]
      [  440.648840] 	sco_disconn_cfm+0x3a/0x41 [bluetooth]
      [  440.648855] 	hci_event_packet+0x45e/0x2326 [bluetooth]
      [  440.648868] 	hci_rx_work+0x161/0x291 [bluetooth]
      [  440.648872] 	process_one_work+0x163/0x2b2
      [  440.648875] 	worker_thread+0x1a9/0x25c
      [  440.648877] 	kthread+0xf8/0xfd
      [  440.648880] 	ret_from_fork+0x2e/0x38
      [  440.648884] INFO: Slab 0xf4718580 objects=27 used=27 fp=0x  (null) flags=0x40008100
      [  440.648886] INFO: Object 0xe70f4b88 @offset=19336 fp=0xe70f54f8
      
      When KASAN was enabled, it reported:
      
      [  210.096613] ==================================================================
      [  210.096634] BUG: KASAN: use-after-free in ex_handler_refcount+0x5b/0x127
      [  210.096641] Write of size 4 at addr ffff880107e17160 by task kworker/u9:1/2040
      
      [  210.096651] CPU: 1 PID: 2040 Comm: kworker/u9:1 Tainted: G     U     O    4.14.47-20180606+ #2
      [  210.096654] Hardware name: , BIOS 2017.01-00087-g43e04de 08/30/2017
      [  210.096693] Workqueue: hci0 hci_rx_work [bluetooth]
      [  210.096698] Call Trace:
      [  210.096711]  dump_stack+0x46/0x59
      [  210.096722]  print_address_description+0x6b/0x23b
      [  210.096729]  ? ex_handler_refcount+0x5b/0x127
      [  210.096736]  kasan_report+0x220/0x246
      [  210.096744]  ex_handler_refcount+0x5b/0x127
      [  210.096751]  ? ex_handler_clear_fs+0x85/0x85
      [  210.096757]  fixup_exception+0x8c/0x96
      [  210.096766]  do_trap+0x66/0x2c1
      [  210.096773]  do_error_trap+0x152/0x180
      [  210.096781]  ? fixup_bug+0x78/0x78
      [  210.096817]  ? hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096824]  ? __schedule+0x113b/0x1453
      [  210.096830]  ? sysctl_net_exit+0xe/0xe
      [  210.096837]  ? __wake_up_common+0x343/0x343
      [  210.096843]  ? insert_work+0x107/0x163
      [  210.096850]  invalid_op+0x1b/0x40
      [  210.096888] RIP: 0010:hci_debugfs_create_conn+0x244/0x26a [bluetooth]
      [  210.096892] RSP: 0018:ffff880094a0f970 EFLAGS: 00010296
      [  210.096898] RAX: 0000000000000000 RBX: ffff880107e170e8 RCX: ffff880107e17160
      [  210.096902] RDX: 000000000000002f RSI: ffff88013b80ed40 RDI: ffffffffa058b940
      [  210.096906] RBP: ffff88011b2b0578 R08: 00000000852f0ec9 R09: ffffffff81cfcf9b
      [  210.096909] R10: 00000000d21bdad7 R11: 0000000000000001 R12: ffff8800967b0488
      [  210.096913] R13: ffff880107e17168 R14: 0000000000000068 R15: ffff8800949c0008
      [  210.096920]  ? __sk_destruct+0x2c6/0x2d4
      [  210.096959]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.096969]  ? __local_bh_enable_ip+0x43/0x5b
      [  210.097004]  ? l2cap_sock_recv_cb+0x158/0x166 [bluetooth]
      [  210.097039]  ? hci_le_meta_evt+0x2bb3/0x2bb3 [bluetooth]
      [  210.097075]  ? l2cap_ertm_init+0x94e/0x94e [bluetooth]
      [  210.097093]  ? xhci_urb_enqueue+0xbd8/0xcf5 [xhci_hcd]
      [  210.097102]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097109]  ? __accumulate_pelt_segments+0x24/0x33
      [  210.097115]  ? __update_load_avg_se.isra.2+0x217/0x3a4
      [  210.097122]  ? set_next_entity+0x7c3/0x12cd
      [  210.097128]  ? pick_next_entity+0x25e/0x26c
      [  210.097135]  ? pick_next_task_fair+0x2ca/0xc1a
      [  210.097141]  ? switch_mm_irqs_off+0x346/0xb4f
      [  210.097147]  ? __switch_to+0x769/0xbc4
      [  210.097153]  ? compat_start_thread+0x66/0x66
      [  210.097188]  ? hci_conn_check_link_mode+0x1cd/0x1cd [bluetooth]
      [  210.097195]  ? finish_task_switch+0x392/0x431
      [  210.097228]  ? hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097260]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097269]  process_one_work+0x579/0x9e9
      [  210.097277]  worker_thread+0x68f/0x804
      [  210.097285]  kthread+0x31c/0x32b
      [  210.097292]  ? rescuer_thread+0x70c/0x70c
      [  210.097299]  ? kthread_create_on_node+0xa3/0xa3
      [  210.097306]  ret_from_fork+0x35/0x40
      
      [  210.097314] Allocated by task 2040:
      [  210.097323]  kasan_kmalloc.part.1+0x51/0xc7
      [  210.097328]  __kmalloc+0x17f/0x1b6
      [  210.097335]  sk_prot_alloc+0xf2/0x1a3
      [  210.097340]  sk_alloc+0x22/0x297
      [  210.097375]  sco_sock_alloc.constprop.7+0x23/0x202 [bluetooth]
      [  210.097410]  sco_connect_cfm+0x2d0/0x566 [bluetooth]
      [  210.097443]  hci_conn_request_evt.isra.53+0x6d3/0x762 [bluetooth]
      [  210.097476]  hci_event_packet+0x85e/0x7de2 [bluetooth]
      [  210.097507]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097512]  process_one_work+0x579/0x9e9
      [  210.097517]  worker_thread+0x68f/0x804
      [  210.097523]  kthread+0x31c/0x32b
      [  210.097529]  ret_from_fork+0x35/0x40
      
      [  210.097533] Freed by task 2040:
      [  210.097539]  kasan_slab_free+0xb3/0x15e
      [  210.097544]  kfree+0x103/0x1a9
      [  210.097549]  __sk_destruct+0x2c6/0x2d4
      [  210.097584]  sco_conn_del.isra.1+0xba/0x10e [bluetooth]
      [  210.097617]  hci_event_packet+0xff5/0x7de2 [bluetooth]
      [  210.097648]  hci_rx_work+0x154/0x487 [bluetooth]
      [  210.097653]  process_one_work+0x579/0x9e9
      [  210.097658]  worker_thread+0x68f/0x804
      [  210.097663]  kthread+0x31c/0x32b
      [  210.097670]  ret_from_fork+0x35/0x40
      
      [  210.097676] The buggy address belongs to the object at ffff880107e170e8
       which belongs to the cache kmalloc-1024 of size 1024
      [  210.097681] The buggy address is located 120 bytes inside of
       1024-byte region [ffff880107e170e8, ffff880107e174e8)
      [  210.097683] The buggy address belongs to the page:
      [  210.097689] page:ffffea00041f8400 count:1 mapcount:0 mapping:          (null) index:0xffff880107e15b68 compound_mapcount: 0
      [  210.110194] flags: 0x8000000000008100(slab|head)
      [  210.115441] raw: 8000000000008100 0000000000000000 ffff880107e15b68 0000000100170016
      [  210.115448] raw: ffffea0004a47620 ffffea0004b48e20 ffff88013b80ed40 0000000000000000
      [  210.115451] page dumped because: kasan: bad access detected
      
      [  210.115454] Memory state around the buggy address:
      [  210.115460]  ffff880107e17000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  210.115465]  ffff880107e17080: fc fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb
      [  210.115469] >ffff880107e17100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115472]                                                        ^
      [  210.115477]  ffff880107e17180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115481]  ffff880107e17200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [  210.115483] ==================================================================
      
      And finally when BT_DBG() and ftrace was enabled it showed:
      
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_close
             <...>-14979 [001] ....   186.104191: sco_sock_kill <-sco_sock_release
             <...>-14979 [001] ....   186.104192: sco_sock_kill: sk ef0497a0 state 9
             <...>-14979 [001] ....   186.104193: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104246: sco_sock_kill <-sco_conn_del
      kworker/u9:2-792   [001] ....   186.104248: sco_sock_kill: sk ef0497a0 state 9
      kworker/u9:2-792   [001] ....   186.104249: bt_sock_unlink <-sco_sock_kill
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct <-__sk_destruct
      kworker/u9:2-792   [001] ....   186.104250: sco_sock_destruct: sk ef0497a0
      kworker/u9:2-792   [001] ....   186.104860: hci_conn_del <-hci_event_packet
      kworker/u9:2-792   [001] ....   186.104864: hci_conn_del: hci0 hcon ef0484c0 handle 266
      
      Only in the failed case, sco_sock_kill() gets called with the same sock
      pointer two times. Add a check for SOCK_DEAD to avoid continue killing
      a socket which has already been killed.
      Signed-off-by: default avatarSudip Mukherjee <sudipm.mukherjee@gmail.com>
      Signed-off-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2b9ffbf2
    • Xiubo Li's avatar
      Revert "uio: use request_threaded_irq instead" · a34e4f42
      Xiubo Li authored
      commit 3d27c4de upstream.
      
      Since mutex lock in irq hanler is useless currently, here will
      remove it together with it.
      
      This reverts commit 9421e45f
      
      .
      
      Reported-by: james.r.harris@intel.com
      CC: Ahsan Atta <ahsan.atta@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      a34e4f42
    • Johan Hovold's avatar
      misc: sram: fix resource leaks in probe error path · 93e5f3d1
      Johan Hovold authored
      commit f294d009 upstream.
      
      Make sure to disable clocks and deregister any exported partitions
      before returning on late probe errors.
      
      Note that since commit ee895ccd
      
       ("misc: sram: fix enabled clock leak
      on error path"), partitions are deliberately exported before enabling
      the clock so we stick to that logic here. A follow up patch will address
      this.
      
      Cc: stable <stable@vger.kernel.org>     # 4.9
      Cc: Alexandre Belloni <alexandre.belloni@free-electrons.com>
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      93e5f3d1
    • Hailong Liu's avatar
      uio: fix wrong return value from uio_mmap() · 421483e0
      Hailong Liu authored
      commit e7de2590 upstream.
      
      uio_mmap has multiple fail paths to set return value to nonzero then
      goto out. However, it always returns *0* from the *out* at end, and
      this will mislead callers who check the return value of this function.
      
      Fixes: 57c5f4df
      
       ("uio: fix crash after the device is unregistered")
      CC: Xiubo Li <xiubli@redhat.com>
      Signed-off-by: default avatarHailong Liu <liu.hailong6@zte.com.cn>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJiang Biao <jiang.biao2@zte.com.cn>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      421483e0
    • Srinath Mannam's avatar
      serial: 8250_dw: Add ACPI support for uart on Broadcom SoC · 1d5fb78f
      Srinath Mannam authored
      commit 784c29ed
      
       upstream.
      
      Add ACPI identifier HID for UART DW 8250 on Broadcom SoCs
      to match the HID passed through ACPI tables to enable
      UART controller.
      Signed-off-by: default avatarSrinath Mannam <srinath.mannam@broadcom.com>
      Reviewed-by: default avatarVladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>
      Tested-by: default avatarVladimir Olovyannikov <vladimir.olovyannikov@broadcom.com>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1d5fb78f
    • Chen Hu's avatar
      serial: 8250_dw: always set baud rate in dw8250_set_termios · 1964062d
      Chen Hu authored
      commit dfcab6ba
      
       upstream.
      
      dw8250_set_termios() doesn't set baud rate if the arg "old ktermios" is
      NULL. This happens during resume.
      Call Trace:
      ...
      [   54.928108] dw8250_set_termios+0x162/0x170
      [   54.928114] serial8250_set_termios+0x17/0x20
      [   54.928117] uart_change_speed+0x64/0x160
      [   54.928119] uart_resume_port
      ...
      
      So the baud rate is not restored after S3 and breaks the apps who use
      UART, for example, console and bluetooth etc.
      
      We address this issue by setting the baud rate irrespective of arg
      "old", just like the drivers for other 8250 IPs. This is tested with
      Intel Broxton platform.
      Signed-off-by: default avatarChen Hu <hu1.chen@intel.com>
      Fixes: 4e26b134
      
       ("serial: 8250_dw: clock rate handling for all ACPI platforms")
      Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1964062d
    • Aaron Sierra's avatar
      serial: 8250_exar: Read INT0 from slave device, too · 73f85a14
      Aaron Sierra authored
      commit 60ab0faf upstream.
      
      The sleep wake-up refactoring that I introduced in
      
        commit c7e1b405 ("tty: serial: exar: Relocate sleep wake-up handling")
      
      did not account for devices with a slave device on the expansion port.
      This patch pokes the INT0 register in the slave device, if present, in
      order to ensure that MSI interrupts don't get permanently "stuck"
      because of a sleep wake-up interrupt as described here:
      
        commit 2c0ac5b4
      
       ("serial: exar: Fix stuck MSIs")
      
      This also converts an ioread8() to readb() in order to provide visual
      consistency with the MMIO-only accessors used elsewhere in the driver.
      Reported-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Signed-off-by: default avatarAaron Sierra <asierra@xes-inc.com>
      Fixes: c7e1b405
      
       ("tty: serial: exar: Relocate sleep wake-up handling")
      Reviewed-by: default avatarAndy Shevchenko <andriy.shevchenko@linux.intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      73f85a14
    • Mark's avatar
      tty: serial: 8250: Revert NXP SC16C2552 workaround · 47f7d1da
      Mark authored
      commit 47ac7666 upstream.
      
      Revert commit ecb988a3
      
      : tty: serial:
      8250: 8250_core: NXP SC16C2552 workaround
      
      The above commit causes userland application to no longer write
      correctly its first write to a dumb terminal connected to /dev/ttyS0.
      This commit seems to be the culprit. It's as though the TX FIFO is being
      reset during that write. What should be displayed is:
      
      PSW 80000000 INST 00000000                           HALT
      //
      
      What is displayed is some variation of:
      
      T 00000000           HAL//
      
      Reverting this commit via this patch fixes my problem.
      Signed-off-by: default avatarMark Hounschell <dmarkh@cfl.rr.com>
      Fixes: ecb988a3
      
       ("tty: serial: 8250: 8250_core: NXP SC16C2552 workaround")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      47f7d1da
    • Willy Tarreau's avatar
      ACPI / PM: save NVS memory for ASUS 1025C laptop · 8d26e06a
      Willy Tarreau authored
      commit 231f9415 upstream.
      
      Every time I tried to upgrade my laptop from 3.10.x to 4.x I faced an
      issue by which the fan would run at full speed upon resume. Bisecting
      it showed me the issue was introduced in 3.17 by commit 821d6f03
      (ACPI / sleep: Do not save NVS for new machines to accelerate S3). This
      code only affects machines built starting as of 2012, but this Asus
      1025C laptop was made in 2012 and apparently needs the NVS data to be
      saved, otherwise the CPU's thermal state is not properly reported on
      resume and the fan runs at full speed upon resume.
      
      Here's a very simple way to check if such a machine is affected :
      
        # cat /sys/class/thermal/thermal_zone0/temp
        55000
      
        ( now suspend, wait one second and resume )
      
        # cat /sys/class/thermal/thermal_zone0/temp
        0
      
        (and after ~15 seconds the fan starts to spin)
      
      Let's apply the same quirk as commit cbc00c13 (ACPI: save NVS memory
      for Lenovo G50-45) and reuse the function it provides. Note that this
      commit was already backported to 4.9.x but not 4.4.x.
      
      Cc: 3.17+ <stable@vger.kernel.org> # 3.17+: requires cbc00c13
      
      Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8d26e06a
    • Aleksander Morgado's avatar
      USB: option: add support for DW5821e · 54d05edc
      Aleksander Morgado authored
      commit 7bab01ec
      
       upstream.
      
      The device exposes AT, NMEA and DIAG ports in both USB configurations.
      
      The patch explicitly ignores interfaces 0 and 1, as they're bound to
      other drivers already; and also interface 6, which is a GNSS interface
      for which we don't have a driver yet.
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 18 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
      I:  If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
      
      T:  Bus=01 Lev=03 Prnt=04 Port=00 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  2
      P:  Vendor=413c ProdID=81d7 Rev=03.18
      S:  Manufacturer=DELL
      S:  Product=DW5821e Snapdragon X20 LTE
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      Signed-off-by: Aleksander Morgado's avatarAleksander Morgado <aleksander@aleksander.es>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      54d05edc
    • Movie Song's avatar
      USB: serial: pl2303: add a new device id for ATEN · fee0c365
      Movie Song authored
      commit 29c692c9
      
       upstream.
      Signed-off-by: default avatarMovie Song <MovieSong@aten-itlab.cn>
      Cc: Johan Hovold <johan@kernel.org>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fee0c365
    • John Ogness's avatar
      USB: serial: sierra: fix potential deadlock at close · 0a471192
      John Ogness authored
      commit e6087001 upstream.
      
      The portdata spinlock can be taken in interrupt context (via
      sierra_outdat_callback()).
      Disable interrupts when taking the portdata spinlock when discarding
      deferred URBs during close to prevent a possible deadlock.
      
      Fixes: 014333f7
      
       ("USB: sierra: fix urb and memory leak on disconnect")
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarJohn Ogness <john.ogness@linutronix.de>
      Signed-off-by: default avatarSebastian Andrzej Siewior <bigeasy@linutronix.de>
      [ johan: amend commit message and add fixes and stable tags ]
      Signed-off-by: default avatarJohan Hovold <johan@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      0a471192
    • Mika Båtsman's avatar
      media: gl861: fix probe of dvb_usb_gl861 · 28f807d7
      Mika Båtsman authored
      commit 48db0089
      
       upstream.
      
      Probe of dvb_usb_gl861 was working at least with v4.4. Noticed the issue
      with v4.13 but according to similar issues the problem started with v4.9.
      
      [   15.288065] transfer buffer not dma capable
      [   15.288090] WARNING: CPU: 2 PID: 493 at drivers/usb/core/hcd.c:1595 usb_hcd_map_urb_for_dma+0x4e2/0x640
      ...CUT...
      [   15.288791] dvb_usb_gl861: probe of 3-7:1.0 failed with error -5
      
      Tested with MSI Mega Sky 580 DVB-T Tuner [GL861]
      
      [mchehab+samsung@kernel.org: rebased on the top of upstream]
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMika Båtsman <mika.batsman@gmail.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab+samsung@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      28f807d7
    • Takashi Iwai's avatar
      ALSA: seq: Fix poll() error return · e078fab2
      Takashi Iwai authored
      commit a49a71f6
      
       upstream.
      
      The sanity checks in ALSA sequencer and OSS sequencer emulation codes
      return falsely -ENXIO from poll callback.  They should be EPOLLERR
      instead.
      
      This was caught thanks to the recent change to the return value.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      e078fab2
    • Takashi Iwai's avatar
      ALSA: vxpocket: Fix invalid endian conversions · 8efea535
      Takashi Iwai authored
      commit 3acd3e3b
      
       upstream.
      
      The endian conversions used in vxp_dma_read() and vxp_dma_write() are
      superfluous and even wrong on big-endian machines, as inw() and outw()
      already do conversions.  Kill them.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8efea535
    • Takashi Iwai's avatar
      ALSA: memalloc: Don't exceed over the requested size · efa72756
      Takashi Iwai authored
      commit dfef01e1
      
       upstream.
      
      snd_dma_alloc_pages_fallback() tries to allocate pages again when the
      allocation fails with reduced size.  But the first try actually
      *increases* the size to power-of-two, which may give back a larger
      chunk than the requested size.  This confuses the callers, e.g. sgbuf
      assumes that the size is equal or less, and it may result in a bad
      loop due to the underflow and eventually lead to Oops.
      
      The code of this function seems incorrectly assuming the usage of
      get_order().  We need to decrease at first, then align to
      power-of-two.
      Reported-and-tested-by: default avatarhe, bo <bo.he@intel.com>
      Reported-by: default avatarzhang jun <jun.zhang@intel.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      efa72756
    • Hans de Goede's avatar
      ALSA: hda: Correct Asrock B85M-ITX power_save blacklist entry · 29a16832
      Hans de Goede authored
      commit 8e82a728 upstream.
      
      I added the subsys product-id for the HDMI HDA device rather then for
      the PCH one, this commit fixes this.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1525104
      
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      29a16832
    • Takashi Sakamoto's avatar
      ALSA: dice: fix wrong copy to rx parameters for Alesis iO26 · 1c0888fb
      Takashi Sakamoto authored
      commit 627661ce upstream.
      
      A commit 28b208f6 ('ALSA: dice: add parameters of stream formats for
      models produced by Alesis') adds wrong copy to rx parameters instead of
      tx parameters for Alesis iO26.
      
      This commit fixes the bug for v4.18-rc8.
      
      Fixes: 28b208f6
      
       ('ALSA: dice: add parameters of stream formats for models produced by Alesis')
      Signed-off-by: default avatarTakashi Sakamoto <o-takashi@sakamocchi.jp>
      Cc: <stable@vger.kernel.org> # v4.18
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      1c0888fb
    • Takashi Iwai's avatar
      ALSA: cs5535audio: Fix invalid endian conversion · eeb2943a
      Takashi Iwai authored
      commit 69756930
      
       upstream.
      
      One place in cs5535audio_build_dma_packets() does an extra conversion
      via cpu_to_le32(); namely jmpprd_addr is passed to setup_prd() ops,
      which writes the value via cs_writel().  That is, the callback does
      the conversion by itself, and we don't need to convert beforehand.
      
      This patch fixes that bogus conversion.
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      eeb2943a
    • Takashi Iwai's avatar
      ALSA: virmidi: Fix too long output trigger loop · fe4740d8
      Takashi Iwai authored
      commit 50e9ffb1
      
       upstream.
      
      The virmidi output trigger tries to parse the all available bytes and
      process sequencer events as much as possible.  In a normal situation,
      this is supposed to be relatively short, but a program may give a huge
      buffer and it'll take a long time in a single spin lock, which may
      eventually lead to a soft lockup.
      
      This patch simply adds a workaround, a cond_resched() call in the loop
      if applicable.  A better solution would be to move the event processor
      into a work, but let's put a duct-tape quickly at first.
      Reported-and-tested-by: default avatarDae R. Jeong <threeearcat@gmail.com>
      Reported-by: syzbot+619d9f40141d826b097e@syzkaller.appspotmail.com
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      fe4740d8
    • Takashi Iwai's avatar
      ALSA: vx222: Fix invalid endian conversions · bb150b44
      Takashi Iwai authored
      commit fff71a4c
      
       upstream.
      
      The endian conversions used in vx2_dma_read() and vx2_dma_write() are
      superfluous and even wrong on big-endian machines, as inl() and outl()
      already do conversions.  Kill them.
      
      Spotted by sparse, a warning like:
        sound/pci/vx222/vx222_ops.c:278:30: warning: incorrect type in argument 1 (different base types)
      
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      bb150b44
    • Park Ju Hyung's avatar
      ALSA: hda - Turn CX8200 into D3 as well upon reboot · f9a16dfc
      Park Ju Hyung authored
      commit d77a4b4a
      
       upstream.
      
      As an equivalent codec with CX20724,
      CX8200 is also subject to the reboot bug.
      
      Late 2017 and 2018 LG Gram and some HP Spectre laptops are known victims
      to this issue, causing extremely loud noises upon reboot.
      
      Now that we know that this bug is subject to multiple codecs,
      fix the comment as well.
      Signed-off-by: default avatarPark Ju Hyung <qkrwngud825@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f9a16dfc
    • Park Ju Hyung's avatar
      ALSA: hda - Sleep for 10ms after entering D3 on Conexant codecs · 79141c50
      Park Ju Hyung authored
      commit f59cf9a0
      
       upstream.
      
      On rare occasions, we are still noticing that the internal speaker
      spitting out spurious noises even after adding the problematic codec
      to the list.
      
      Adding a 10ms artificial delay before rebooting fixes the issue entirely.
      
      Patch for Realtek codecs also adds the same amount of delay after
      entering D3.
      Signed-off-by: default avatarPark Ju Hyung <qkrwngud825@gmail.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      79141c50
    • Heiner Kallweit's avatar
      r8169: don't use MSI-X on RTL8168g · 72a579b8
      Heiner Kallweit authored
      [ Upstream commit 7c53a722
      
       ]
      
      There have been two reports that network doesn't come back on resume
      from suspend when using MSI-X. Both cases affect the same chip version
      (RTL8168g - version 40), on different systems. Falling back to MSI
      fixes the issue.
      Even though we don't really have a proof yet that the network chip
      version is to blame, let's disable MSI-X for this version.
      Reported-by: default avatarSteve Dodd <steved424@gmail.com>
      Reported-by: default avatarLou Reed <gogen@disroot.org>
      Tested-by: default avatarSteve Dodd <steved424@gmail.com>
      Tested-by: default avatarLou Reed <gogen@disroot.org>
      Fixes: 6c6aa15f
      
       ("r8169: improve interrupt handling")
      Signed-off-by: default avatarHeiner Kallweit <hkallweit1@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      72a579b8
    • Hangbin Liu's avatar
      net_sched: Fix missing res info when create new tc_index filter · 01002eb0
      Hangbin Liu authored
      [ Upstream commit 008369dc ]
      
      Li Shuang reported the following warn:
      
      [  733.484610] WARNING: CPU: 6 PID: 21123 at net/sched/sch_cbq.c:1418 cbq_destroy_class+0x5d/0x70 [sch_cbq]
      [  733.495190] Modules linked in: sch_cbq cls_tcindex sch_dsmark rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat l
      [  733.574155]  syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm igb ixgbe ahci libahci i2c_algo_bit libata i40e i2c_core dca mdio megaraid_sas dm_mirror dm_region_hash dm_log dm_mod
      [  733.592500] CPU: 6 PID: 21123 Comm: tc Not tainted 4.18.0-rc8.latest+ #131
      [  733.600169] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.1.5 04/11/2016
      [  733.608518] RIP: 0010:cbq_destroy_class+0x5d/0x70 [sch_cbq]
      [  733.614734] Code: e7 d9 d2 48 8b 7b 48 e8 61 05 da d2 48 8d bb f8 00 00 00 e8 75 ae d5 d2 48 39 eb 74 0a 48 89 df 5b 5d e9 16 6c 94 d2 5b 5d c3 <0f> 0b eb b6 0f 1f 44 00 00 66 2e 0f 1f 84
      [  733.635798] RSP: 0018:ffffbfbb066bb9d8 EFLAGS: 00010202
      [  733.641627] RAX: 0000000000000001 RBX: ffff9cdd17392800 RCX: 000000008010000f
      [  733.649588] RDX: ffff9cdd1df547e0 RSI: ffff9cdd17392800 RDI: ffff9cdd0f84c800
      [  733.657547] RBP: ffff9cdd0f84c800 R08: 0000000000000001 R09: 0000000000000000
      [  733.665508] R10: ffff9cdd0f84d000 R11: 0000000000000001 R12: 0000000000000001
      [  733.673469] R13: 0000000000000000 R14: 0000000000000001 R15: ffff9cdd17392200
      [  733.681430] FS:  00007f911890a740(0000) GS:ffff9cdd1f8c0000(0000) knlGS:0000000000000000
      [  733.690456] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [  733.696864] CR2: 0000000000b5544c CR3: 0000000859374002 CR4: 00000000001606e0
      [  733.704826] Call Trace:
      [  733.707554]  cbq_destroy+0xa1/0xd0 [sch_cbq]
      [  733.712318]  qdisc_destroy+0x62/0x130
      [  733.716401]  dsmark_destroy+0x2a/0x70 [sch_dsmark]
      [  733.721745]  qdisc_destroy+0x62/0x130
      [  733.725829]  qdisc_graft+0x3ba/0x470
      [  733.729817]  tc_get_qdisc+0x2a6/0x2c0
      [  733.733901]  ? cred_has_capability+0x7d/0x130
      [  733.738761]  rtnetlink_rcv_msg+0x263/0x2d0
      [  733.743330]  ? rtnl_calcit.isra.30+0x110/0x110
      [  733.748287]  netlink_rcv_skb+0x4d/0x130
      [  733.752576]  netlink_unicast+0x1a3/0x250
      [  733.756949]  netlink_sendmsg+0x2ae/0x3a0
      [  733.761324]  sock_sendmsg+0x36/0x40
      [  733.765213]  ___sys_sendmsg+0x26f/0x2d0
      [  733.769493]  ? handle_pte_fault+0x586/0xdf0
      [  733.774158]  ? __handle_mm_fault+0x389/0x500
      [  733.778919]  ? __sys_sendmsg+0x5e/0xa0
      [  733.783099]  __sys_sendmsg+0x5e/0xa0
      [  733.787087]  do_syscall_64+0x5b/0x180
      [  733.791171]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  733.796805] RIP: 0033:0x7f9117f23f10
      [  733.800791] Code: c3 48 8b 05 82 6f 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d 8d d0 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8
      [  733.821873] RSP: 002b:00007ffe96818398 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [  733.830319] RAX: ffffffffffffffda RBX: 000000005b71244c RCX: 00007f9117f23f10
      [  733.838280] RDX: 0000000000000000 RSI: 00007ffe968183e0 RDI: 0000000000000003
      [  733.846241] RBP: 00007ffe968183e0 R08: 000000000000ffff R09: 0000000000000003
      [  733.854202] R10: 00007ffe96817e20 R11: 0000000000000246 R12: 0000000000000000
      [  733.862161] R13: 0000000000662ee0 R14: 0000000000000000 R15: 0000000000000000
      [  733.870121] ---[ end trace 28edd4aad712ddca ]---
      
      This is because we didn't update f->result.res when create new filter. Then in
      tcindex_delete() -> tcf_unbind_filter(), we will failed to find out the res
      and unbind filter, which will trigger the WARN_ON() in cbq_destroy_class().
      
      Fix it by updating f->result.res when create new filter.
      
      Fixes: 6e056569
      
       ("net_sched: fix another crash in cls_tcindex")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      01002eb0
    • Hangbin Liu's avatar
      net_sched: fix NULL pointer dereference when delete tcindex filter · 8a1a056d
      Hangbin Liu authored
      [ Upstream commit 2df8bee5 ]
      
      Li Shuang reported the following crash:
      
      [   71.267724] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
      [   71.276456] PGD 800000085d9bd067 P4D 800000085d9bd067 PUD 859a0b067 PMD 0
      [   71.284127] Oops: 0000 [#1] SMP PTI
      [   71.288015] CPU: 12 PID: 2386 Comm: tc Not tainted 4.18.0-rc8.latest+ #131
      [   71.295686] Hardware name: Dell Inc. PowerEdge R730/0WCJNT, BIOS 2.1.5 04/11/2016
      [   71.304037] RIP: 0010:tcindex_delete+0x72/0x280 [cls_tcindex]
      [   71.310446] Code: 00 31 f6 48 87 75 20 48 85 f6 74 11 48 8b 47 18 48 8b 40 08 48 8b 40 50 e8 fb a6 f8 fc 48 85 db 0f 84 dc 00 00 00 48 8b 73 18 <8b> 56 04 48 8d 7e 04 85 d2 0f 84 7b 01 00
      [   71.331517] RSP: 0018:ffffb45207b3f898 EFLAGS: 00010282
      [   71.337345] RAX: ffff8ad3d72d6360 RBX: ffff8acc84393680 RCX: 000000000000002e
      [   71.345306] RDX: ffff8ad3d72c8570 RSI: 0000000000000000 RDI: ffff8ad847a45800
      [   71.353277] RBP: ffff8acc84393688 R08: ffff8ad3d72c8400 R09: 0000000000000000
      [   71.361238] R10: ffff8ad3de786e00 R11: 0000000000000000 R12: ffffb45207b3f8c7
      [   71.369199] R13: ffff8ad3d93bd2a0 R14: 000000000000002e R15: ffff8ad3d72c9600
      [   71.377161] FS:  00007f9d3ec3e740(0000) GS:ffff8ad3df980000(0000) knlGS:0000000000000000
      [   71.386188] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      [   71.392597] CR2: 0000000000000004 CR3: 0000000852f06003 CR4: 00000000001606e0
      [   71.400558] Call Trace:
      [   71.403299]  tcindex_destroy_element+0x25/0x40 [cls_tcindex]
      [   71.409611]  tcindex_walk+0xbb/0x110 [cls_tcindex]
      [   71.414953]  tcindex_destroy+0x44/0x90 [cls_tcindex]
      [   71.420492]  ? tcindex_delete+0x280/0x280 [cls_tcindex]
      [   71.426323]  tcf_proto_destroy+0x16/0x40
      [   71.430696]  tcf_chain_flush+0x51/0x70
      [   71.434876]  tcf_block_put_ext.part.30+0x8f/0x1b0
      [   71.440122]  tcf_block_put+0x4d/0x70
      [   71.444108]  cbq_destroy+0x4d/0xd0 [sch_cbq]
      [   71.448869]  qdisc_destroy+0x62/0x130
      [   71.452951]  dsmark_destroy+0x2a/0x70 [sch_dsmark]
      [   71.458300]  qdisc_destroy+0x62/0x130
      [   71.462373]  qdisc_graft+0x3ba/0x470
      [   71.466359]  tc_get_qdisc+0x2a6/0x2c0
      [   71.470443]  ? cred_has_capability+0x7d/0x130
      [   71.475307]  rtnetlink_rcv_msg+0x263/0x2d0
      [   71.479875]  ? rtnl_calcit.isra.30+0x110/0x110
      [   71.484832]  netlink_rcv_skb+0x4d/0x130
      [   71.489109]  netlink_unicast+0x1a3/0x250
      [   71.493482]  netlink_sendmsg+0x2ae/0x3a0
      [   71.497859]  sock_sendmsg+0x36/0x40
      [   71.501748]  ___sys_sendmsg+0x26f/0x2d0
      [   71.506029]  ? handle_pte_fault+0x586/0xdf0
      [   71.510694]  ? __handle_mm_fault+0x389/0x500
      [   71.515457]  ? __sys_sendmsg+0x5e/0xa0
      [   71.519636]  __sys_sendmsg+0x5e/0xa0
      [   71.523626]  do_syscall_64+0x5b/0x180
      [   71.527711]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [   71.533345] RIP: 0033:0x7f9d3e257f10
      [   71.537331] Code: c3 48 8b 05 82 6f 2c 00 f7 db 64 89 18 48 83 cb ff eb dd 0f 1f 80 00 00 00 00 83 3d 8d d0 2c 00 00 75 10 b8 2e 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 ec 08 e8
      [   71.558401] RSP: 002b:00007fff6f893398 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
      [   71.566848] RAX: ffffffffffffffda RBX: 000000005b71274d RCX: 00007f9d3e257f10
      [   71.574810] RDX: 0000000000000000 RSI: 00007fff6f8933e0 RDI: 0000000000000003
      [   71.582770] RBP: 00007fff6f8933e0 R08: 000000000000ffff R09: 0000000000000003
      [   71.590729] R10: 00007fff6f892e20 R11: 0000000000000246 R12: 0000000000000000
      [   71.598689] R13: 0000000000662ee0 R14: 0000000000000000 R15: 0000000000000000
      [   71.606651] Modules linked in: sch_cbq cls_tcindex sch_dsmark xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_coni
      [   71.685425]  libahci i2c_algo_bit i2c_core i40e libata dca mdio megaraid_sas dm_mirror dm_region_hash dm_log dm_mod
      [   71.697075] CR2: 0000000000000004
      [   71.700792] ---[ end trace f604eb1acacd978b ]---
      
      Reproducer:
      tc qdisc add dev lo handle 1:0 root dsmark indices 64 set_tc_index
      tc filter add dev lo parent 1:0 protocol ip prio 1 tcindex mask 0xfc shift 2
      tc qdisc add dev lo parent 1:0 handle 2:0 cbq bandwidth 10Mbit cell 8 avpkt 1000 mpu 64
      tc class add dev lo parent 2:0 classid 2:1 cbq bandwidth 10Mbit rate 1500Kbit avpkt 1000 prio 1 bounded isolated allot 1514 weight 1 maxburst 10
      tc filter add dev lo parent 2:0 protocol ip prio 1 handle 0x2e tcindex classid 2:1 pass_on
      tc qdisc add dev lo parent 2:1 pfifo limit 5
      tc qdisc del dev lo root
      
      This is because in tcindex_set_parms, when there is no old_r, we set new
      exts to cr.exts. And we didn't set it to filter when r == &new_filter_result.
      
      Then in tcindex_delete() -> tcf_exts_get_net(), we will get NULL pointer
      dereference as we didn't init exts.
      
      Fix it by moving tcf_exts_change() after "if (old_r && old_r != r)" check.
      Then we don't need "cr" as there is no errout after that.
      
      Fixes: bf63ac73
      
       ("net_sched: fix an oops in tcindex filter")
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8a1a056d
    • Wei Wang's avatar
      l2tp: use sk_dst_check() to avoid race on sk->sk_dst_cache · 4ea1da6d
      Wei Wang authored
      [ Upstream commit 6d37fa49 ]
      
      In l2tp code, if it is a L2TP_UDP_ENCAP tunnel, tunnel->sk points to a
      UDP socket. User could call sendmsg() on both this tunnel and the UDP
      socket itself concurrently. As l2tp_xmit_skb() holds socket lock and call
      __sk_dst_check() to refresh sk->sk_dst_cache, while udpv6_sendmsg() is
      lockless and call sk_dst_check() to refresh sk->sk_dst_cache, there
      could be a race and cause the dst cache to be freed multiple times.
      So we fix l2tp side code to always call sk_dst_check() to garantee
      xchg() is called when refreshing sk->sk_dst_cache to avoid race
      conditions.
      
      Syzkaller reported stack trace:
      BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
      BUG: KASAN: use-after-free in atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
      BUG: KASAN: use-after-free in atomic_add_unless include/linux/atomic.h:597 [inline]
      BUG: KASAN: use-after-free in dst_hold_safe include/net/dst.h:308 [inline]
      BUG: KASAN: use-after-free in ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029
      Read of size 4 at addr ffff8801aea9a880 by task syz-executor129/4829
      
      CPU: 0 PID: 4829 Comm: syz-executor129 Not tainted 4.18.0-rc7-next-20180802+ #30
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
       print_address_description+0x6c/0x20b mm/kasan/report.c:256
       kasan_report_error mm/kasan/report.c:354 [inline]
       kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
       check_memory_region_inline mm/kasan/kasan.c:260 [inline]
       check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
       kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272
       atomic_read include/asm-generic/atomic-instrumented.h:21 [inline]
       atomic_fetch_add_unless include/linux/atomic.h:575 [inline]
       atomic_add_unless include/linux/atomic.h:597 [inline]
       dst_hold_safe include/net/dst.h:308 [inline]
       ip6_hold_safe+0xe6/0x670 net/ipv6/route.c:1029
       rt6_get_pcpu_route net/ipv6/route.c:1249 [inline]
       ip6_pol_route+0x354/0xd20 net/ipv6/route.c:1922
       ip6_pol_route_output+0x54/0x70 net/ipv6/route.c:2098
       fib6_rule_lookup+0x283/0x890 net/ipv6/fib6_rules.c:122
       ip6_route_output_flags+0x2c5/0x350 net/ipv6/route.c:2126
       ip6_dst_lookup_tail+0x1278/0x1da0 net/ipv6/ip6_output.c:978
       ip6_dst_lookup_flow+0xc8/0x270 net/ipv6/ip6_output.c:1079
       ip6_sk_dst_lookup_flow+0x5ed/0xc50 net/ipv6/ip6_output.c:1117
       udpv6_sendmsg+0x2163/0x36b0 net/ipv6/udp.c:1354
       inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:622 [inline]
       sock_sendmsg+0xd5/0x120 net/socket.c:632
       ___sys_sendmsg+0x51d/0x930 net/socket.c:2115
       __sys_sendmmsg+0x240/0x6f0 net/socket.c:2210
       __do_sys_sendmmsg net/socket.c:2239 [inline]
       __se_sys_sendmmsg net/socket.c:2236 [inline]
       __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2236
       do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x446a29
      Code: e8 ac b8 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f4de5532db8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
      RAX: ffffffffffffffda RBX: 00000000006dcc38 RCX: 0000000000446a29
      RDX: 00000000000000b8 RSI: 0000000020001b00 RDI: 0000000000000003
      RBP: 00000000006dcc30 R08: 00007f4de5533700 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dcc3c
      R13: 00007ffe2b830fdf R14: 00007f4de55339c0 R15: 0000000000000001
      
      Fixes: 71b1391a
      
       ("l2tp: ensure sk->dst is still valid")
      Reported-by: syzbot+05f840f3b04f211bad55@syzkaller.appspotmail.com
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Cc: Guillaume Nault <g.nault@alphalink.fr>
      Cc: David Ahern <dsahern@gmail.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4ea1da6d
  2. 18 Aug, 2018 2 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.18.3 · 8a8c540d
      Greg Kroah-Hartman authored
      8a8c540d
    • Sean Christopherson's avatar
      x86/speculation/l1tf: Exempt zeroed PTEs from inversion · 8f7b7e0b
      Sean Christopherson authored
      commit f19f5c49 upstream.
      
      It turns out that we should *not* invert all not-present mappings,
      because the all zeroes case is obviously special.
      
      clear_page() does not undergo the XOR logic to invert the address bits,
      i.e. PTE, PMD and PUD entries that have not been individually written
      will have val=0 and so will trigger __pte_needs_invert(). As a result,
      {pte,pmd,pud}_pfn() will return the wrong PFN value, i.e. all ones
      (adjusted by the max PFN mask) instead of zero. A zeroed entry is ok
      because the page at physical address 0 is reserved early in boot
      specifically to mitigate L1TF, so explicitly exempt them from the
      inversion when reading the PFN.
      
      Manifested as an unexpected mprotect(..., PROT_NONE) failure when called
      on a VMA that has VM_PFNMAP and was mmap'd to as something other than
      PROT_NONE but never used. mprotect() sends the PROT_NONE request down
      prot_none_walk(), which walks the PTEs to check the PFNs.
      prot_none_pte_entry() gets the bogus PFN from pte_pfn() and returns
      -EACCES because it thinks mprotect() is trying to adjust a high MMIO
      address.
      
      [ This is a very modified version of Sean's original patch, but all
        credit goes to Sean for doing this and also pointing out that
        sometimes the __pte_needs_invert() function only gets the protection
        bits, not the full eventual pte.  But zero remains special even in
        just protection bits, so that's ok.   - Linus ]
      
      Fixes: f22cc87f
      
       ("x86/speculation/l1tf: Invert all not present mappings")
      Signed-off-by: default avatarSean Christopherson <sean.j.christopherson@intel.com>
      Acked-by: default avatarAndi Kleen <ak@linux.intel.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Josh Poimboeuf <jpoimboe@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      8f7b7e0b
  3. 17 Aug, 2018 2 commits
    • Greg Kroah-Hartman's avatar
      Linux 4.18.2 · e8c3aced
      Greg Kroah-Hartman authored
      e8c3aced
    • Toshi Kani's avatar
      x86/mm: Add TLB purge to free pmd/pte page interfaces · 69622a5c
      Toshi Kani authored
      commit 5e0fb5df upstream.
      
      ioremap() calls pud_free_pmd_page() / pmd_free_pte_page() when it creates
      a pud / pmd map.  The following preconditions are met at their entry.
       - All pte entries for a target pud/pmd address range have been cleared.
       - System-wide TLB purges have been peformed for a target pud/pmd address
         range.
      
      The preconditions assure that there is no stale TLB entry for the range.
      Speculation may not cache TLB entries since it requires all levels of page
      entries, including ptes, to have P & A-bits set for an associated address.
      However, speculation may cache pud/pmd entries (paging-structure caches)
      when they have P-bit set.
      
      Add a system-wide TLB purge (INVLPG) to a single page after clearing
      pud/pmd entry's P-bit.
      
      SDM 4.10.4.1, Operation that Invalidate TLBs and Paging-Structure Caches,
      states that:
        INVLPG invalidates all paging-structure caches associated with the
        current PCID regardless of the liner addresses to which they correspond.
      
      Fixes: 28ee90fe
      
       ("x86/mm: implement free pmd/pte page interfaces")
      Signed-off-by: default avatarToshi Kani <toshi.kani@hpe.com>
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Cc: mhocko@suse.com
      Cc: akpm@linux-foundation.org
      Cc: hpa@zytor.com
      Cc: cpandya@codeaurora.org
      Cc: linux-mm@kvack.org
      Cc: linux-arm-kernel@lists.infradead.org
      Cc: Joerg Roedel <joro@8bytes.org>
      Cc: stable@vger.kernel.org
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: <stable@vger.kernel.org>
      Link: https://lkml.kernel.org/r/20180627141348.21777-4-toshi.kani@hpe.com
      
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      69622a5c