All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 4.14 00/46] 4.14.169-stable review
@ 2020-01-28 13:57 Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
                   ` (49 more replies)
  0 siblings, 50 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	ben.hutchings, lkft-triage, stable

This is the start of the stable review cycle for the 4.14.169 release.
There are 46 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.169-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.14.169-rc1

Martin Schiller <ms@dev.tdt.de>
    net/x25: fix nonblocking connect

Kadlecsik József <kadlec@blackhole.kfki.hu>
    netfilter: ipset: use bitmap infrastructure completely

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free()

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    md: Avoid namespace collision with bitmap API

Bo Wu <wubo40@huawei.com>
    scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT

Wen Huang <huangwenabc@gmail.com>
    libertas: Fix two buffer overflows at parsing bss descriptor

Suzuki K Poulose <suzuki.poulose@arm.com>
    coresight: tmc-etf: Do not call smp_processor_id from preemptible

Suzuki K Poulose <suzuki.poulose@arm.com>
    coresight: etb10: Do not call smp_processor_id from preemptible

Masato Suzuki <masato.suzuki@wdc.com>
    sd: Fix REQ_OP_ZONE_REPORT completion handling

Al Viro <viro@zeniv.linux.org.uk>
    do_last(): fetch directory ->i_mode and ->i_uid before it's too late

Changbin Du <changbin.du@gmail.com>
    tracing: xen: Ordered comparison of function pointers

Bart Van Assche <bvanassche@acm.org>
    scsi: RDMA/isert: Fix a recently introduced regression related to logout

Gilles Buloz <gilles.buloz@kontron.com>
    hwmon: (nct7802) Fix voltage limits to wrong registers

Chuhong Yuan <hslester96@gmail.com>
    Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register

Johan Hovold <johan@kernel.org>
    Input: pegasus_notetaker - fix endpoint sanity check

Johan Hovold <johan@kernel.org>
    Input: aiptek - fix endpoint sanity check

Johan Hovold <johan@kernel.org>
    Input: gtco - fix endpoint sanity check

Johan Hovold <johan@kernel.org>
    Input: sur40 - fix interface sanity checks

Stephan Gerhold <stephan@gerhold.net>
    Input: pm8xxx-vib - fix handling of separate enable register

Jeremy Linton <jeremy.linton@arm.com>
    Documentation: Document arm64 kpti control

Michał Mirosław <mirq-linux@rere.qmqm.pl>
    mmc: sdhci: fix minimum clock rate for v3 controller

Michał Mirosław <mirq-linux@rere.qmqm.pl>
    mmc: tegra: fix SDR50 tuning override

Alex Sverdlin <alexander.sverdlin@nokia.com>
    ARM: 8950/1: ftrace/recordmcount: filter relocation types

Hans Verkuil <hverkuil-cisco@xs4all.nl>
    Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers"

Johan Hovold <johan@kernel.org>
    Input: keyspan-remote - fix control-message timeouts

Guenter Roeck <linux@roeck-us.net>
    hwmon: (core) Do not use device managed functions for memory allocations

Dmitry Osipenko <digetx@gmail.com>
    hwmon: (core) Fix double-free in __hwmon_device_register()

Linus Walleij <linus.walleij@linaro.org>
    hwmon: Deal with errors from the thermal subsystem

Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
    hwmon: (adt7475) Make volt2reg return same reg as reg2volt input

Eric Dumazet <edumazet@google.com>
    net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()

Wen Yang <wenyang@linux.alibaba.com>
    tcp_bbr: improve arithmetic division in bbr_update_bw()

James Hughes <james.hughes@raspberrypi.org>
    net: usb: lan78xx: Add .ndo_features_check

Jouni Hogander <jouni.hogander@unikie.com>
    net-sysfs: Fix reference count leak

Jouni Hogander <jouni.hogander@unikie.com>
    net-sysfs: Call dev_hold always in rx_queue_add_kobject

Jouni Hogander <jouni.hogander@unikie.com>
    net-sysfs: Call dev_hold always in netdev_queue_add_kobject

Eric Dumazet <edumazet@google.com>
    net-sysfs: fix netdev_queue_add_kobject() breakage

Jouni Hogander <jouni.hogander@unikie.com>
    net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject

Cong Wang <xiyou.wangcong@gmail.com>
    net_sched: fix datalen for ematch

William Dauchy <w.dauchy@criteo.com>
    net, ip_tunnel: fix namespaces move

William Dauchy <w.dauchy@criteo.com>
    net, ip6_tunnel: fix namespaces move

Michael Ellerman <mpe@ellerman.id.au>
    net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM

Yuki Taguchi <tagyounit@gmail.com>
    ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions

Eric Dumazet <edumazet@google.com>
    gtp: make sure only SOCK_DGRAM UDP sockets are accepted

Wenwen Wang <wenwen@cs.uga.edu>
    firestream: fix memory leaks

Richard Palethorpe <rpalethorpe@suse.com>
    can, slip: Protect tty->disc_data in write_wakeup and close with RCU


-------------

Diffstat:

 Documentation/admin-guide/kernel-parameters.txt |  6 ++
 Makefile                                        |  4 +-
 drivers/atm/firestream.c                        |  3 +
 drivers/hwmon/adt7475.c                         |  5 +-
 drivers/hwmon/hwmon.c                           | 83 ++++++++++++++++---------
 drivers/hwmon/nct7802.c                         |  4 +-
 drivers/hwtracing/coresight/coresight-etb10.c   |  4 +-
 drivers/hwtracing/coresight/coresight-tmc-etf.c |  4 +-
 drivers/infiniband/ulp/isert/ib_isert.c         | 12 ----
 drivers/input/misc/keyspan_remote.c             |  9 ++-
 drivers/input/misc/pm8xxx-vibrator.c            |  2 +-
 drivers/input/rmi4/rmi_smbus.c                  |  2 +
 drivers/input/tablet/aiptek.c                   |  6 +-
 drivers/input/tablet/gtco.c                     | 10 +--
 drivers/input/tablet/pegasus_notetaker.c        |  2 +-
 drivers/input/touchscreen/sun4i-ts.c            |  6 +-
 drivers/input/touchscreen/sur40.c               |  2 +-
 drivers/md/bitmap.c                             | 10 +--
 drivers/md/bitmap.h                             |  2 +-
 drivers/md/md-cluster.c                         |  6 +-
 drivers/media/v4l2-core/v4l2-ioctl.c            | 24 +++----
 drivers/mmc/host/sdhci-tegra.c                  |  2 +-
 drivers/mmc/host/sdhci.c                        | 10 +--
 drivers/net/can/slcan.c                         | 12 +++-
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |  2 +
 drivers/net/gtp.c                               | 10 +--
 drivers/net/slip/slip.c                         | 12 +++-
 drivers/net/usb/lan78xx.c                       | 15 +++++
 drivers/net/wireless/marvell/libertas/cfg.c     | 16 ++++-
 drivers/scsi/scsi_transport_iscsi.c             |  7 +++
 drivers/scsi/sd.c                               |  8 ++-
 drivers/target/iscsi/iscsi_target.c             |  6 +-
 fs/namei.c                                      | 17 ++---
 include/linux/bitmap.h                          |  8 +++
 include/linux/netdevice.h                       |  1 +
 include/linux/netfilter/ipset/ip_set.h          |  7 ---
 include/trace/events/xen.h                      |  6 +-
 lib/bitmap.c                                    | 20 ++++++
 net/core/dev.c                                  | 36 +++++++----
 net/core/net-sysfs.c                            | 39 +++++++-----
 net/core/rtnetlink.c                            | 13 +++-
 net/ipv4/ip_tunnel.c                            |  4 +-
 net/ipv4/tcp_bbr.c                              |  3 +-
 net/ipv6/ip6_tunnel.c                           |  4 +-
 net/ipv6/seg6_local.c                           |  4 +-
 net/netfilter/ipset/ip_set_bitmap_gen.h         |  2 +-
 net/netfilter/ipset/ip_set_bitmap_ip.c          |  6 +-
 net/netfilter/ipset/ip_set_bitmap_ipmac.c       |  6 +-
 net/netfilter/ipset/ip_set_bitmap_port.c        |  6 +-
 net/sched/ematch.c                              |  2 +-
 net/x25/af_x25.c                                |  6 +-
 scripts/recordmcount.c                          | 17 +++++
 52 files changed, 336 insertions(+), 177 deletions(-)



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+017e491ae13c0068598a,
	Richard Palethorpe, Wolfgang Grandegger, Marc Kleine-Budde,
	David S. Miller, Tyler Hall, linux-can, netdev, syzkaller

From: Richard Palethorpe <rpalethorpe@suse.com>

[ Upstream commit 0ace17d56824165c7f4c68785d6b58971db954dd ]

write_wakeup can happen in parallel with close/hangup where tty->disc_data
is set to NULL and the netdevice is freed thus also freeing
disc_data. write_wakeup accesses disc_data so we must prevent close from
freeing the netdev while write_wakeup has a non-NULL view of
tty->disc_data.

We also need to make sure that accesses to disc_data are atomic. Which can
all be done with RCU.

This problem was found by Syzkaller on SLCAN, but the same issue is
reproducible with the SLIP line discipline using an LTP test based on the
Syzkaller reproducer.

A fix which didn't use RCU was posted by Hillf Danton.

Fixes: 661f7fda21b1 ("slip: Fix deadlock in write_wakeup")
Fixes: a8e83b17536a ("slcan: Port write_wakeup deadlock fix from slip")
Reported-by: syzbot+017e491ae13c0068598a@syzkaller.appspotmail.com
Signed-off-by: Richard Palethorpe <rpalethorpe@suse.com>
Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Tyler Hall <tylerwhall@gmail.com>
Cc: linux-can@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: syzkaller@googlegroups.com
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/can/slcan.c |   12 ++++++++++--
 drivers/net/slip/slip.c |   12 ++++++++++--
 2 files changed, 20 insertions(+), 4 deletions(-)

--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -343,9 +343,16 @@ static void slcan_transmit(struct work_s
  */
 static void slcan_write_wakeup(struct tty_struct *tty)
 {
-	struct slcan *sl = tty->disc_data;
+	struct slcan *sl;
+
+	rcu_read_lock();
+	sl = rcu_dereference(tty->disc_data);
+	if (!sl)
+		goto out;
 
 	schedule_work(&sl->tx_work);
+out:
+	rcu_read_unlock();
 }
 
 /* Send a can_frame to a TTY queue. */
@@ -640,10 +647,11 @@ static void slcan_close(struct tty_struc
 		return;
 
 	spin_lock_bh(&sl->lock);
-	tty->disc_data = NULL;
+	rcu_assign_pointer(tty->disc_data, NULL);
 	sl->tty = NULL;
 	spin_unlock_bh(&sl->lock);
 
+	synchronize_rcu();
 	flush_work(&sl->tx_work);
 
 	/* Flush network side */
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -452,9 +452,16 @@ static void slip_transmit(struct work_st
  */
 static void slip_write_wakeup(struct tty_struct *tty)
 {
-	struct slip *sl = tty->disc_data;
+	struct slip *sl;
+
+	rcu_read_lock();
+	sl = rcu_dereference(tty->disc_data);
+	if (!sl)
+		goto out;
 
 	schedule_work(&sl->tx_work);
+out:
+	rcu_read_unlock();
 }
 
 static void sl_tx_timeout(struct net_device *dev)
@@ -886,10 +893,11 @@ static void slip_close(struct tty_struct
 		return;
 
 	spin_lock_bh(&sl->lock);
-	tty->disc_data = NULL;
+	rcu_assign_pointer(tty->disc_data, NULL);
 	sl->tty = NULL;
 	spin_unlock_bh(&sl->lock);
 
+	synchronize_rcu();
 	flush_work(&sl->tx_work);
 
 	/* VSV = very important to remove timers */

^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 02/46] firestream: fix memory leaks
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 03/46] gtp: make sure only SOCK_DGRAM UDP sockets are accepted Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Wenwen Wang, David S. Miller

From: Wenwen Wang <wenwen@cs.uga.edu>

[ Upstream commit fa865ba183d61c1ec8cbcab8573159c3b72b89a4 ]

In fs_open(), 'vcc' is allocated through kmalloc() and assigned to
'atm_vcc->dev_data.' In the following execution, if an error occurs, e.g.,
there is no more free channel, an error code EBUSY or ENOMEM will be
returned. However, 'vcc' is not deallocated, leading to memory leaks. Note
that, in normal cases where fs_open() returns 0, 'vcc' will be deallocated
in fs_close(). But, if fs_open() fails, there is no guarantee that
fs_close() will be invoked.

To fix this issue, deallocate 'vcc' before the error code is returned.

Signed-off-by: Wenwen Wang <wenwen@cs.uga.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/atm/firestream.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/drivers/atm/firestream.c
+++ b/drivers/atm/firestream.c
@@ -927,6 +927,7 @@ static int fs_open(struct atm_vcc *atm_v
 			}
 			if (!to) {
 				printk ("No more free channels for FS50..\n");
+				kfree(vcc);
 				return -EBUSY;
 			}
 			vcc->channo = dev->channo;
@@ -937,6 +938,7 @@ static int fs_open(struct atm_vcc *atm_v
 			if (((DO_DIRECTION(rxtp) && dev->atm_vccs[vcc->channo])) ||
 			    ( DO_DIRECTION(txtp) && test_bit (vcc->channo, dev->tx_inuse))) {
 				printk ("Channel is in use for FS155.\n");
+				kfree(vcc);
 				return -EBUSY;
 			}
 		}
@@ -950,6 +952,7 @@ static int fs_open(struct atm_vcc *atm_v
 			    tc, sizeof (struct fs_transmit_config));
 		if (!tc) {
 			fs_dprintk (FS_DEBUG_OPEN, "fs: can't alloc transmit_config.\n");
+			kfree(vcc);
 			return -ENOMEM;
 		}
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 03/46] gtp: make sure only SOCK_DGRAM UDP sockets are accepted
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 04/46] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Pablo Neira, syzbot,
	David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 940ba14986657a50c15f694efca1beba31fa568f ]

A malicious user could use RAW sockets and fool
GTP using them as standard SOCK_DGRAM UDP sockets.

BUG: KMSAN: uninit-value in udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
BUG: KMSAN: uninit-value in setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
CPU: 0 PID: 11262 Comm: syz-executor613 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x220 lib/dump_stack.c:118
 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
 __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
 udp_tunnel_encap_enable include/net/udp_tunnel.h:174 [inline]
 setup_udp_tunnel_sock+0x45e/0x6f0 net/ipv4/udp_tunnel.c:85
 gtp_encap_enable_socket+0x37f/0x5a0 drivers/net/gtp.c:827
 gtp_encap_enable drivers/net/gtp.c:844 [inline]
 gtp_newlink+0xfb/0x1e50 drivers/net/gtp.c:666
 __rtnl_newlink net/core/rtnetlink.c:3305 [inline]
 rtnl_newlink+0x2973/0x3920 net/core/rtnetlink.c:3363
 rtnetlink_rcv_msg+0x1153/0x1570 net/core/rtnetlink.c:5424
 netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg net/socket.c:659 [inline]
 ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
 ___sys_sendmsg net/socket.c:2384 [inline]
 __sys_sendmsg+0x451/0x5f0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441359
Code: e8 ac e8 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff1cd0ac28 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441359
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000246 R12: 00000000004020d0
R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000

Uninit was created at:
 kmsan_save_stack_with_flags+0x3c/0x90 mm/kmsan/kmsan.c:144
 kmsan_internal_alloc_meta_for_pages mm/kmsan/kmsan_shadow.c:307 [inline]
 kmsan_alloc_page+0x12a/0x310 mm/kmsan/kmsan_shadow.c:336
 __alloc_pages_nodemask+0x57f2/0x5f60 mm/page_alloc.c:4800
 alloc_pages_current+0x67d/0x990 mm/mempolicy.c:2207
 alloc_pages include/linux/gfp.h:534 [inline]
 alloc_slab_page+0x111/0x12f0 mm/slub.c:1511
 allocate_slab mm/slub.c:1656 [inline]
 new_slab+0x2bc/0x1130 mm/slub.c:1722
 new_slab_objects mm/slub.c:2473 [inline]
 ___slab_alloc+0x1533/0x1f30 mm/slub.c:2624
 __slab_alloc mm/slub.c:2664 [inline]
 slab_alloc_node mm/slub.c:2738 [inline]
 slab_alloc mm/slub.c:2783 [inline]
 kmem_cache_alloc+0xb23/0xd70 mm/slub.c:2788
 sk_prot_alloc+0xf2/0x620 net/core/sock.c:1597
 sk_alloc+0xf0/0xbe0 net/core/sock.c:1657
 inet_create+0x7c7/0x1370 net/ipv4/af_inet.c:321
 __sock_create+0x8eb/0xf00 net/socket.c:1420
 sock_create net/socket.c:1471 [inline]
 __sys_socket+0x1a1/0x600 net/socket.c:1513
 __do_sys_socket net/socket.c:1522 [inline]
 __se_sys_socket+0x8d/0xb0 net/socket.c:1520
 __x64_sys_socket+0x4a/0x70 net/socket.c:1520
 do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 459aa660eb1d ("gtp: add initial driver for datapath of GPRS Tunneling Protocol (GTP-U)")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pablo Neira <pablo@netfilter.org>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/gtp.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -807,19 +807,21 @@ static struct sock *gtp_encap_enable_soc
 		return NULL;
 	}
 
-	if (sock->sk->sk_protocol != IPPROTO_UDP) {
+	sk = sock->sk;
+	if (sk->sk_protocol != IPPROTO_UDP ||
+	    sk->sk_type != SOCK_DGRAM ||
+	    (sk->sk_family != AF_INET && sk->sk_family != AF_INET6)) {
 		pr_debug("socket fd=%d not UDP\n", fd);
 		sk = ERR_PTR(-EINVAL);
 		goto out_sock;
 	}
 
-	lock_sock(sock->sk);
-	if (sock->sk->sk_user_data) {
+	lock_sock(sk);
+	if (sk->sk_user_data) {
 		sk = ERR_PTR(-EBUSY);
 		goto out_rel_sock;
 	}
 
-	sk = sock->sk;
 	sock_hold(sk);
 
 	tuncfg.sk_user_data = gtp;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 04/46] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 03/46] gtp: make sure only SOCK_DGRAM UDP sockets are accepted Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 05/46] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yuki Taguchi, David S. Miller

From: Yuki Taguchi <tagyounit@gmail.com>

[ Upstream commit 62ebaeaedee7591c257543d040677a60e35c7aec ]

After LRO/GRO is applied, SRv6 encapsulated packets have
SKB_GSO_IPXIP6 feature flag, and this flag must be removed right after
decapulation procedure.

Currently, SKB_GSO_IPXIP6 flag is not removed on End.D* actions, which
creates inconsistent packet state, that is, a normal TCP/IP packets
have the SKB_GSO_IPXIP6 flag. This behavior can cause unexpected
fallback to GSO on routing to netdevices that do not support
SKB_GSO_IPXIP6. For example, on inter-VRF forwarding, decapsulated
packets separated into small packets by GSO because VRF devices do not
support TSO for packets with SKB_GSO_IPXIP6 flag, and this degrades
forwarding performance.

This patch removes encapsulation related GSO flags from the skb right
after the End.D* action is applied.

Fixes: d7a669dd2f8b ("ipv6: sr: add helper functions for seg6local")
Signed-off-by: Yuki Taguchi <tagyounit@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/seg6_local.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/ipv6/seg6_local.c
+++ b/net/ipv6/seg6_local.c
@@ -27,6 +27,7 @@
 #include <net/addrconf.h>
 #include <net/ip6_route.h>
 #include <net/dst_cache.h>
+#include <net/ip_tunnels.h>
 #ifdef CONFIG_IPV6_SEG6_HMAC
 #include <net/seg6_hmac.h>
 #endif
@@ -126,7 +127,8 @@ static bool decap_and_validate(struct sk
 
 	skb_reset_network_header(skb);
 	skb_reset_transport_header(skb);
-	skb->encapsulation = 0;
+	if (iptunnel_pull_offloads(skb))
+		return false;
 
 	return true;
 }



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 05/46] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 04/46] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 06/46] net, ip6_tunnel: fix namespaces move Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilja Van Sprundel, Michael Ellerman,
	David S. Miller

From: Michael Ellerman <mpe@ellerman.id.au>

[ Upstream commit 3546d8f1bbe992488ed91592cf6bf76e7114791a =

The cxgb3 driver for "Chelsio T3-based gigabit and 10Gb Ethernet
adapters" implements a custom ioctl as SIOCCHIOCTL/SIOCDEVPRIVATE in
cxgb_extension_ioctl().

One of the subcommands of the ioctl is CHELSIO_GET_MEM, which appears
to read memory directly out of the adapter and return it to userspace.
It's not entirely clear what the contents of the adapter memory
contains, but the assumption is that it shouldn't be accessible to all
users.

So add a CAP_NET_ADMIN check to the CHELSIO_GET_MEM case. Put it after
the is_offload() check, which matches two of the other subcommands in
the same function which also check for is_offload() and CAP_NET_ADMIN.

Found by Ilja by code inspection, not tested as I don't have the
required hardware.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
+++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c
@@ -2449,6 +2449,8 @@ static int cxgb_extension_ioctl(struct n
 
 		if (!is_offload(adapter))
 			return -EOPNOTSUPP;
+		if (!capable(CAP_NET_ADMIN))
+			return -EPERM;
 		if (!(adapter->flags & FULL_INIT_DONE))
 			return -EIO;	/* need the memory controllers */
 		if (copy_from_user(&t, useraddr, sizeof(t)))



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 06/46] net, ip6_tunnel: fix namespaces move
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 05/46] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 07/46] net, ip_tunnel: " Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, William Dauchy, Nicolas Dichtel,
	David S. Miller

From: William Dauchy <w.dauchy@criteo.com>

[ Upstream commit 5311a69aaca30fa849c3cc46fb25f75727fb72d0 ]

in the same manner as commit d0f418516022 ("net, ip_tunnel: fix
namespaces move"), fix namespace moving as it was broken since commit
8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnel"), but for
ipv6 this time; there is no reason to keep it for ip6_tunnel.

Fixes: 8d79266bc48c ("ip6_tunnel: add collect_md mode to IPv6 tunnel")
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv6/ip6_tunnel.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/ipv6/ip6_tunnel.c
+++ b/net/ipv6/ip6_tunnel.c
@@ -1878,10 +1878,8 @@ static int ip6_tnl_dev_init(struct net_d
 	if (err)
 		return err;
 	ip6_tnl_link_config(t);
-	if (t->parms.collect_md) {
-		dev->features |= NETIF_F_NETNS_LOCAL;
+	if (t->parms.collect_md)
 		netif_keep_dst(dev);
-	}
 	return 0;
 }
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 07/46] net, ip_tunnel: fix namespaces move
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 06/46] net, ip6_tunnel: fix namespaces move Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 08/46] net_sched: fix datalen for ematch Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, William Dauchy, Nicolas Dichtel,
	David S. Miller

From: William Dauchy <w.dauchy@criteo.com>

[ Upstream commit d0f418516022c32ecceaf4275423e5bd3f8743a9 ]

in the same manner as commit 690afc165bb3 ("net: ip6_gre: fix moving
ip6gre between namespaces"), fix namespace moving as it was broken since
commit 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.").
Indeed, the ip6_gre commit removed the local flag for collect_md
condition, so there is no reason to keep it for ip_gre/ip_tunnel.

this patch will fix both ip_tunnel and ip_gre modules.

Fixes: 2e15ea390e6f ("ip_gre: Add support to collect tunnel metadata.")
Signed-off-by: William Dauchy <w.dauchy@criteo.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/ip_tunnel.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -1202,10 +1202,8 @@ int ip_tunnel_init(struct net_device *de
 	iph->version		= 4;
 	iph->ihl		= 5;
 
-	if (tunnel->collect_md) {
-		dev->features |= NETIF_F_NETNS_LOCAL;
+	if (tunnel->collect_md)
 		netif_keep_dst(dev);
-	}
 	return 0;
 }
 EXPORT_SYMBOL_GPL(ip_tunnel_init);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 08/46] net_sched: fix datalen for ematch
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 07/46] net, ip_tunnel: " Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 09/46] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+2f07903a5b05e7f36410,
	Eric Dumazet, Cong Wang, Eric Dumazet, David S. Miller,
	syzbot+5af9a90dad568aa9f611

From: Cong Wang <xiyou.wangcong@gmail.com>

[ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ]

syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.

I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.

Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sched/ematch.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/sched/ematch.c
+++ b/net/sched/ematch.c
@@ -267,12 +267,12 @@ static int tcf_em_validate(struct tcf_pr
 				}
 				em->data = (unsigned long) v;
 			}
+			em->datalen = data_len;
 		}
 	}
 
 	em->matchid = em_hdr->matchid;
 	em->flags = em_hdr->flags;
-	em->datalen = data_len;
 	em->net = net;
 
 	err = 0;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 09/46] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 08/46] net_sched: fix datalen for ematch Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 10/46] net-sysfs: fix netdev_queue_add_kobject() breakage Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, David Miller, Lukas Bulwahn, Jouni Hogander

From: Jouni Hogander <jouni.hogander@unikie.com>

commit b8eb718348b8fb30b5a7d0a8fce26fb3f4ac741b upstream.

kobject_init_and_add takes reference even when it fails. This has
to be given up by the caller in error handling. Otherwise memory
allocated by kobject_init_and_add is never freed. Originally found
by Syzkaller:

BUG: memory leak
unreferenced object 0xffff8880679f8b08 (size 8):
  comm "netdev_register", pid 269, jiffies 4294693094 (age 12.132s)
  hex dump (first 8 bytes):
    72 78 2d 30 00 36 20 d4                          rx-0.6 .
  backtrace:
    [<000000008c93818e>] __kmalloc_track_caller+0x16e/0x290
    [<000000001f2e4e49>] kvasprintf+0xb1/0x140
    [<000000007f313394>] kvasprintf_const+0x56/0x160
    [<00000000aeca11c8>] kobject_set_name_vargs+0x5b/0x140
    [<0000000073a0367c>] kobject_init_and_add+0xd8/0x170
    [<0000000088838e4b>] net_rx_queue_update_kobjects+0x152/0x560
    [<000000006be5f104>] netdev_register_kobject+0x210/0x380
    [<00000000e31dab9d>] register_netdevice+0xa1b/0xf00
    [<00000000f68b2465>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000004c50599f>] tun_chr_ioctl+0x2f/0x40
    [<00000000bbd4c317>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000d4c59e8f>] ksys_ioctl+0x99/0xb0
    [<00000000946aea81>] __x64_sys_ioctl+0x78/0xb0
    [<0000000038d946e5>] do_syscall_64+0x16f/0x580
    [<00000000e0aa5d8f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000285b3d1a>] 0xffffffffffffffff

Cc: David Miller <davem@davemloft.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/net-sysfs.c |   24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -915,21 +915,23 @@ static int rx_queue_add_kobject(struct n
 	error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
 				     "rx-%u", index);
 	if (error)
-		return error;
+		goto err;
 
 	dev_hold(queue->dev);
 
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
-		if (error) {
-			kobject_put(kobj);
-			return error;
-		}
+		if (error)
+			goto err;
 	}
 
 	kobject_uevent(kobj, KOBJ_ADD);
 
 	return error;
+
+err:
+	kobject_put(kobj);
+	return error;
 }
 #endif /* CONFIG_SYSFS */
 
@@ -1326,21 +1328,21 @@ static int netdev_queue_add_kobject(stru
 	error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
 				     "tx-%u", index);
 	if (error)
-		return error;
+		goto err;
 
 	dev_hold(queue->dev);
 
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
-	if (error) {
-		kobject_put(kobj);
-		return error;
-	}
+	if (error)
+		goto err;
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
 
-	return 0;
+err:
+	kobject_put(kobj);
+	return error;
 }
 #endif /* CONFIG_SYSFS */
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 10/46] net-sysfs: fix netdev_queue_add_kobject() breakage
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 09/46] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 11/46] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, Jouni Hogander,
	David S. Miller

From: Eric Dumazet <edumazet@google.com>

commit 48a322b6f9965b2f1e4ce81af972f0e287b07ed0 upstream.

kobject_put() should only be called in error path.

Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/net-sysfs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1339,6 +1339,7 @@ static int netdev_queue_add_kobject(stru
 #endif
 
 	kobject_uevent(kobj, KOBJ_ADD);
+	return 0;
 
 err:
 	kobject_put(kobj);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 11/46] net-sysfs: Call dev_hold always in netdev_queue_add_kobject
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 10/46] net-sysfs: fix netdev_queue_add_kobject() breakage Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 12/46] net-sysfs: Call dev_hold always in rx_queue_add_kobject Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Tetsuo Handa,
	David Miller, Lukas Bulwahn

From: Jouni Hogander <jouni.hogander@unikie.com>

commit e0b60903b434a7ee21ba8d8659f207ed84101e89 upstream.

Dev_hold has to be called always in netdev_queue_add_kobject.
Otherwise usage count drops below 0 in case of failure in
kobject_init_and_add.

Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
Reported-by: Hulk Robot <hulkci@huawei.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: David Miller <davem@davemloft.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/net-sysfs.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -1324,14 +1324,17 @@ static int netdev_queue_add_kobject(stru
 	struct kobject *kobj = &queue->kobj;
 	int error = 0;
 
+	/* Kobject_put later will trigger netdev_queue_release call
+	 * which decreases dev refcount: Take that reference here
+	 */
+	dev_hold(queue->dev);
+
 	kobj->kset = dev->queues_kset;
 	error = kobject_init_and_add(kobj, &netdev_queue_ktype, NULL,
 				     "tx-%u", index);
 	if (error)
 		goto err;
 
-	dev_hold(queue->dev);
-
 #ifdef CONFIG_BQL
 	error = sysfs_create_group(kobj, &dql_group);
 	if (error)



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 12/46] net-sysfs: Call dev_hold always in rx_queue_add_kobject
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 11/46] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 13/46] net-sysfs: Fix reference count leak Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot, Tetsuo Handa, David Miller,
	Lukas Bulwahn, Jouni Hogander

From: Jouni Hogander <jouni.hogander@unikie.com>

commit ddd9b5e3e765d8ed5a35786a6cb00111713fe161 upstream.

Dev_hold has to be called always in rx_queue_add_kobject.
Otherwise usage count drops below 0 in case of failure in
kobject_init_and_add.

Fixes: b8eb718348b8 ("net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject")
Reported-by: syzbot <syzbot+30209ea299c09d8785c9@syzkaller.appspotmail.com>
Cc: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: David Miller <davem@davemloft.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/core/net-sysfs.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -911,14 +911,17 @@ static int rx_queue_add_kobject(struct n
 	struct kobject *kobj = &queue->kobj;
 	int error = 0;
 
+	/* Kobject_put later will trigger rx_queue_release call which
+	 * decreases dev refcount: Take that reference here
+	 */
+	dev_hold(queue->dev);
+
 	kobj->kset = dev->queues_kset;
 	error = kobject_init_and_add(kobj, &rx_queue_ktype, NULL,
 				     "rx-%u", index);
 	if (error)
 		goto err;
 
-	dev_hold(queue->dev);
-
 	if (dev->sysfs_rx_queue_group) {
 		error = sysfs_create_group(kobj, dev->sysfs_rx_queue_group);
 		if (error)



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 13/46] net-sysfs: Fix reference count leak
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 12/46] net-sysfs: Call dev_hold always in rx_queue_add_kobject Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 14/46] net: usb: lan78xx: Add .ndo_features_check Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+ad8ca40ecd77896d51e2,
	David Miller, Lukas Bulwahn, Jouni Hogander

From: Jouni Hogander <jouni.hogander@unikie.com>

[ Upstream commit cb626bf566eb4433318d35681286c494f04fedcc ]

Netdev_register_kobject is calling device_initialize. In case of error
reference taken by device_initialize is not given up.

Drivers are supposed to call free_netdev in case of error. In non-error
case the last reference is given up there and device release sequence
is triggered. In error case this reference is kept and the release
sequence is never started.

Fix this by setting reg_state as NETREG_UNREGISTERED if registering
fails.

This is the rootcause for couple of memory leaks reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
  comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
    [<000000002340019b>] device_add+0x882/0x1750
    [<000000001d588c3a>] netdev_register_kobject+0x128/0x380
    [<0000000011ef5535>] register_netdevice+0xa1b/0xf00
    [<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
    [<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000fba062ea>] ksys_ioctl+0x99/0xb0
    [<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
    [<00000000984cabb9>] do_syscall_64+0x16f/0x580
    [<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000e6ca2d9f>] 0xffffffffffffffff

BUG: memory leak
unreferenced object 0xffff8880668ba588 (size 8):
  comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s)
  hex dump (first 8 bytes):
    6e 72 30 00 cc be df 2b                          nr0....+
  backtrace:
    [<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290
    [<00000000236fd26b>] kstrdup+0x3e/0x70
    [<00000000dd4a2815>] kstrdup_const+0x3e/0x50
    [<0000000049a377fc>] kvasprintf_const+0x10e/0x160
    [<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140
    [<0000000019eeab06>] dev_set_name+0xc0/0xf0
    [<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320
    [<00000000f2e83732>] register_netdevice+0xa1b/0xf00
    [<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0
    [<000000009c560784>] tun_chr_ioctl+0x2f/0x40
    [<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510
    [<00000000351d7c31>] ksys_ioctl+0x99/0xb0
    [<000000008390040a>] __x64_sys_ioctl+0x78/0xb0
    [<0000000052d196b7>] do_syscall_64+0x16f/0x580
    [<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<00000000bc384531>] 0xffffffffffffffff

v3 -> v4:
  Set reg_state to NETREG_UNREGISTERED if registering fails

v2 -> v3:
* Replaced BUG_ON with WARN_ON in free_netdev and netdev_release

v1 -> v2:
* Relying on driver calling free_netdev rather than calling
  put_device directly in error path

Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com
Cc: David Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/core/dev.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -7667,8 +7667,10 @@ int register_netdevice(struct net_device
 		goto err_uninit;
 
 	ret = netdev_register_kobject(dev);
-	if (ret)
+	if (ret) {
+		dev->reg_state = NETREG_UNREGISTERED;
 		goto err_uninit;
+	}
 	dev->reg_state = NETREG_REGISTERED;
 
 	__netdev_update_features(dev);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 14/46] net: usb: lan78xx: Add .ndo_features_check
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 13/46] net-sysfs: Fix reference count leak Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 15/46] tcp_bbr: improve arithmetic division in bbr_update_bw() Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James Hughes, Eric Dumazet, David S. Miller

From: James Hughes <james.hughes@raspberrypi.org>

[ Upstream commit ce896476c65d72b4b99fa09c2f33436b4198f034 ]

As reported by Eric Dumazet, there are still some outstanding
cases where the driver does not handle TSO correctly when skb's
are over a certain size. Most cases have been fixed, this patch
should ensure that forwarded SKB's that are greater than
MAX_SINGLE_PACKET_SIZE - TX_OVERHEAD are software segmented
and handled correctly.

Signed-off-by: James Hughes <james.hughes@raspberrypi.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/net/usb/lan78xx.c |   15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/drivers/net/usb/lan78xx.c
+++ b/drivers/net/usb/lan78xx.c
@@ -31,6 +31,7 @@
 #include <linux/mdio.h>
 #include <linux/phy.h>
 #include <net/ip6_checksum.h>
+#include <net/vxlan.h>
 #include <linux/interrupt.h>
 #include <linux/irqdomain.h>
 #include <linux/irq.h>
@@ -3525,6 +3526,19 @@ static void lan78xx_tx_timeout(struct ne
 	tasklet_schedule(&dev->bh);
 }
 
+static netdev_features_t lan78xx_features_check(struct sk_buff *skb,
+						struct net_device *netdev,
+						netdev_features_t features)
+{
+	if (skb->len + TX_OVERHEAD > MAX_SINGLE_PACKET_SIZE)
+		features &= ~NETIF_F_GSO_MASK;
+
+	features = vlan_features_check(skb, features);
+	features = vxlan_features_check(skb, features);
+
+	return features;
+}
+
 static const struct net_device_ops lan78xx_netdev_ops = {
 	.ndo_open		= lan78xx_open,
 	.ndo_stop		= lan78xx_stop,
@@ -3538,6 +3552,7 @@ static const struct net_device_ops lan78
 	.ndo_set_features	= lan78xx_set_features,
 	.ndo_vlan_rx_add_vid	= lan78xx_vlan_rx_add_vid,
 	.ndo_vlan_rx_kill_vid	= lan78xx_vlan_rx_kill_vid,
+	.ndo_features_check	= lan78xx_features_check,
 };
 
 static void lan78xx_stat_monitor(unsigned long param)



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 15/46] tcp_bbr: improve arithmetic division in bbr_update_bw()
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 14/46] net: usb: lan78xx: Add .ndo_features_check Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 16/46] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Wen Yang, Eric Dumazet,
	David S. Miller, Alexey Kuznetsov, Hideaki YOSHIFUJI, netdev

From: Wen Yang <wenyang@linux.alibaba.com>

[ Upstream commit 5b2f1f3070b6447b76174ea8bfb7390dc6253ebd ]

do_div() does a 64-by-32 division. Use div64_long() instead of it
if the divisor is long, to avoid truncation to 32-bit.
And as a nice side effect also cleans up the function a bit.

Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/tcp_bbr.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/net/ipv4/tcp_bbr.c
+++ b/net/ipv4/tcp_bbr.c
@@ -678,8 +678,7 @@ static void bbr_update_bw(struct sock *s
 	 * bandwidth sample. Delivered is in packets and interval_us in uS and
 	 * ratio will be <<1 for most connections. So delivered is first scaled.
 	 */
-	bw = (u64)rs->delivered * BW_UNIT;
-	do_div(bw, rs->interval_us);
+	bw = div64_long((u64)rs->delivered * BW_UNIT, rs->interval_us);
 
 	/* If this sample is application-limited, it is likely to have a very
 	 * low delivered count that represents application behavior rather than



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 16/46] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 15/46] tcp_bbr: improve arithmetic division in bbr_update_bw() Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 17/46] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot, David S. Miller

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit d836f5c69d87473ff65c06a6123e5b2cf5e56f5b ]

rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu
checks that we apply in do_setlink()

Otherwise malicious users can crash the kernel, for example after
an integer overflow :

BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0

CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 check_memory_region_inline mm/kasan/generic.c:185 [inline]
 check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
 memset+0x24/0x40 mm/kasan/common.c:108
 memset include/linux/string.h:365 [inline]
 __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
 alloc_skb include/linux/skbuff.h:1049 [inline]
 alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664
 sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242
 sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259
 mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609
 add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713
 add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844
 mld_send_cr net/ipv6/mcast.c:1970 [inline]
 mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477
 call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
 expire_timers kernel/time/timer.c:1449 [inline]
 __run_timers kernel/time/timer.c:1773 [inline]
 __run_timers kernel/time/timer.c:1740 [inline]
 run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
 __do_softirq+0x262/0x98c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:373 [inline]
 irq_exit+0x19b/0x1e0 kernel/softirq.c:413
 exiting_irq arch/x86/include/asm/apic.h:536 [inline]
 smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
 apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
 </IRQ>
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79
RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54
RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000
 arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
 default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
 cpuidle_idle_call kernel/sched/idle.c:154 [inline]
 do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
 cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
 rest_init+0x23b/0x371 init/main.c:451
 arch_call_rest_init+0xe/0x1b
 start_kernel+0x904/0x943 init/main.c:784
 x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
 x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
 secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242

The buggy address belongs to the page:
page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff

Fixes: 61e84623ace3 ("net: centralize net_device min/max MTU checking")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/netdevice.h |    1 +
 net/core/dev.c            |   32 ++++++++++++++++++++------------
 net/core/rtnetlink.c      |   13 +++++++++++--
 3 files changed, 32 insertions(+), 14 deletions(-)

--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -3313,6 +3313,7 @@ int dev_set_alias(struct net_device *, c
 int dev_change_net_namespace(struct net_device *, struct net *, const char *);
 int __dev_set_mtu(struct net_device *, int);
 int dev_set_mtu(struct net_device *, int);
+int dev_validate_mtu(struct net_device *dev, int mtu);
 void dev_set_group(struct net_device *, int);
 int dev_set_mac_address(struct net_device *, struct sockaddr *);
 int dev_change_carrier(struct net_device *, bool new_carrier);
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -6896,18 +6896,9 @@ int dev_set_mtu(struct net_device *dev,
 	if (new_mtu == dev->mtu)
 		return 0;
 
-	/* MTU must be positive, and in range */
-	if (new_mtu < 0 || new_mtu < dev->min_mtu) {
-		net_err_ratelimited("%s: Invalid MTU %d requested, hw min %d\n",
-				    dev->name, new_mtu, dev->min_mtu);
-		return -EINVAL;
-	}
-
-	if (dev->max_mtu > 0 && new_mtu > dev->max_mtu) {
-		net_err_ratelimited("%s: Invalid MTU %d requested, hw max %d\n",
-				    dev->name, new_mtu, dev->max_mtu);
-		return -EINVAL;
-	}
+	err = dev_validate_mtu(dev, new_mtu);
+	if (err)
+		return err;
 
 	if (!netif_device_present(dev))
 		return -ENODEV;
@@ -7769,6 +7760,23 @@ int init_dummy_netdev(struct net_device
 EXPORT_SYMBOL_GPL(init_dummy_netdev);
 
 
+int dev_validate_mtu(struct net_device *dev, int new_mtu)
+{
+	/* MTU must be positive, and in range */
+	if (new_mtu < 0 || new_mtu < dev->min_mtu) {
+		net_err_ratelimited("%s: Invalid MTU %d requested, hw min %d\n",
+				    dev->name, new_mtu, dev->min_mtu);
+		return -EINVAL;
+	}
+
+	if (dev->max_mtu > 0 && new_mtu > dev->max_mtu) {
+		net_err_ratelimited("%s: Invalid MTU %d requested, hw max %d\n",
+				    dev->name, new_mtu, dev->max_mtu);
+		return -EINVAL;
+	}
+	return 0;
+}
+
 /**
  *	register_netdev	- register a network device
  *	@dev: device to register
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -2466,8 +2466,17 @@ struct net_device *rtnl_create_link(stru
 	dev->rtnl_link_ops = ops;
 	dev->rtnl_link_state = RTNL_LINK_INITIALIZING;
 
-	if (tb[IFLA_MTU])
-		dev->mtu = nla_get_u32(tb[IFLA_MTU]);
+	if (tb[IFLA_MTU]) {
+		u32 mtu = nla_get_u32(tb[IFLA_MTU]);
+		int err;
+
+		err = dev_validate_mtu(dev, mtu);
+		if (err) {
+			free_netdev(dev);
+			return ERR_PTR(err);
+		}
+		dev->mtu = mtu;
+	}
 	if (tb[IFLA_ADDRESS]) {
 		memcpy(dev->dev_addr, nla_data(tb[IFLA_ADDRESS]),
 				nla_len(tb[IFLA_ADDRESS]));



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 17/46] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 16/46] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 18/46] hwmon: Deal with errors from the thermal subsystem Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luuk Paulussen, Guenter Roeck

From: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>

commit cf3ca1877574a306c0207cbf7fdf25419d9229df upstream.

reg2volt returns the voltage that matches a given register value.
Converting this back the other way with volt2reg didn't return the same
register value because it used truncation instead of rounding.

This meant that values read from sysfs could not be written back to sysfs
to set back the same register value.

With this change, volt2reg will return the same value for every voltage
previously returned by reg2volt (for the set of possible input values)

Signed-off-by: Luuk Paulussen <luuk.paulussen@alliedtelesis.co.nz>
Link: https://lore.kernel.org/r/20191205231659.1301-1-luuk.paulussen@alliedtelesis.co.nz
cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/adt7475.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/hwmon/adt7475.c
+++ b/drivers/hwmon/adt7475.c
@@ -297,9 +297,10 @@ static inline u16 volt2reg(int channel,
 	long reg;
 
 	if (bypass_attn & (1 << channel))
-		reg = (volt * 1024) / 2250;
+		reg = DIV_ROUND_CLOSEST(volt * 1024, 2250);
 	else
-		reg = (volt * r[1] * 1024) / ((r[0] + r[1]) * 2250);
+		reg = DIV_ROUND_CLOSEST(volt * r[1] * 1024,
+					(r[0] + r[1]) * 2250);
 	return clamp_val(reg, 0, 1023) & (0xff << 2);
 }
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 18/46] hwmon: Deal with errors from the thermal subsystem
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 17/46] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 19/46] hwmon: (core) Fix double-free in __hwmon_device_register() Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linus Walleij, Guenter Roeck

From: Linus Walleij <linus.walleij@linaro.org>

commit 47c332deb8e89f6c59b0bb2615945c6e7fad1a60 upstream.

If the thermal subsystem returne -EPROBE_DEFER or any other error
when hwmon calls devm_thermal_zone_of_sensor_register(), this is
silently ignored.

I ran into this with an incorrectly defined thermal zone, making
it non-existing and thus this call failed with -EPROBE_DEFER
assuming it would appear later. The sensor was still added
which is incorrect: sensors must strictly be added after the
thermal zones, so deferred probe must be respected.

Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/hwmon.c |   21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

--- a/drivers/hwmon/hwmon.c
+++ b/drivers/hwmon/hwmon.c
@@ -143,6 +143,7 @@ static int hwmon_thermal_add_sensor(stru
 				    struct hwmon_device *hwdev, int index)
 {
 	struct hwmon_thermal_data *tdata;
+	struct thermal_zone_device *tzd;
 
 	tdata = devm_kzalloc(dev, sizeof(*tdata), GFP_KERNEL);
 	if (!tdata)
@@ -151,8 +152,14 @@ static int hwmon_thermal_add_sensor(stru
 	tdata->hwdev = hwdev;
 	tdata->index = index;
 
-	devm_thermal_zone_of_sensor_register(&hwdev->dev, index, tdata,
-					     &hwmon_thermal_ops);
+	tzd = devm_thermal_zone_of_sensor_register(&hwdev->dev, index, tdata,
+						   &hwmon_thermal_ops);
+	/*
+	 * If CONFIG_THERMAL_OF is disabled, this returns -ENODEV,
+	 * so ignore that error but forward any other error.
+	 */
+	if (IS_ERR(tzd) && (PTR_ERR(tzd) != -ENODEV))
+		return PTR_ERR(tzd);
 
 	return 0;
 }
@@ -621,14 +628,20 @@ __hwmon_device_register(struct device *d
 				if (!chip->ops->is_visible(drvdata, hwmon_temp,
 							   hwmon_temp_input, j))
 					continue;
-				if (info[i]->config[j] & HWMON_T_INPUT)
-					hwmon_thermal_add_sensor(dev, hwdev, j);
+				if (info[i]->config[j] & HWMON_T_INPUT) {
+					err = hwmon_thermal_add_sensor(dev,
+								hwdev, j);
+					if (err)
+						goto free_device;
+				}
 			}
 		}
 	}
 
 	return hdev;
 
+free_device:
+	device_unregister(hdev);
 free_hwmon:
 	kfree(hwdev);
 ida_remove:



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 19/46] hwmon: (core) Fix double-free in __hwmon_device_register()
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 18/46] hwmon: Deal with errors from the thermal subsystem Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 20/46] hwmon: (core) Do not use device managed functions for memory allocations Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Guenter Roeck

From: Dmitry Osipenko <digetx@gmail.com>

commit 74e3512731bd5c9673176425a76a7cc5efa8ddb6 upstream.

Fix double-free that happens when thermal zone setup fails, see KASAN log
below.

==================================================================
BUG: KASAN: double-free or invalid-free in __hwmon_device_register+0x5dc/0xa7c

CPU: 0 PID: 132 Comm: kworker/0:2 Tainted: G    B             4.19.0-rc8-next-20181016-00042-gb52cd80401e9-dirty #41
Hardware name: NVIDIA Tegra SoC (Flattened Device Tree)
Workqueue: events deferred_probe_work_func
Backtrace:
[<c0110540>] (dump_backtrace) from [<c0110944>] (show_stack+0x20/0x24)
[<c0110924>] (show_stack) from [<c105cb08>] (dump_stack+0x9c/0xb0)
[<c105ca6c>] (dump_stack) from [<c02fdaec>] (print_address_description+0x68/0x250)
[<c02fda84>] (print_address_description) from [<c02fd4ac>] (kasan_report_invalid_free+0x68/0x88)
[<c02fd444>] (kasan_report_invalid_free) from [<c02fc85c>] (__kasan_slab_free+0x1f4/0x200)
[<c02fc668>] (__kasan_slab_free) from [<c02fd0c0>] (kasan_slab_free+0x14/0x18)
[<c02fd0ac>] (kasan_slab_free) from [<c02f9c6c>] (kfree+0x90/0x294)
[<c02f9bdc>] (kfree) from [<c0b41bbc>] (__hwmon_device_register+0x5dc/0xa7c)
[<c0b415e0>] (__hwmon_device_register) from [<c0b421e8>] (hwmon_device_register_with_info+0xa0/0xa8)
[<c0b42148>] (hwmon_device_register_with_info) from [<c0b42324>] (devm_hwmon_device_register_with_info+0x74/0xb4)
[<c0b422b0>] (devm_hwmon_device_register_with_info) from [<c0b4481c>] (lm90_probe+0x414/0x578)
[<c0b44408>] (lm90_probe) from [<c0aeeff4>] (i2c_device_probe+0x35c/0x384)
[<c0aeec98>] (i2c_device_probe) from [<c08776cc>] (really_probe+0x290/0x3e4)
[<c087743c>] (really_probe) from [<c0877a2c>] (driver_probe_device+0x80/0x1c4)
[<c08779ac>] (driver_probe_device) from [<c0877da8>] (__device_attach_driver+0x104/0x11c)
[<c0877ca4>] (__device_attach_driver) from [<c0874dd8>] (bus_for_each_drv+0xa4/0xc8)
[<c0874d34>] (bus_for_each_drv) from [<c08773b0>] (__device_attach+0xf0/0x15c)
[<c08772c0>] (__device_attach) from [<c0877e24>] (device_initial_probe+0x1c/0x20)
[<c0877e08>] (device_initial_probe) from [<c08762f4>] (bus_probe_device+0xdc/0xec)
[<c0876218>] (bus_probe_device) from [<c0876a08>] (deferred_probe_work_func+0xa8/0xd4)
[<c0876960>] (deferred_probe_work_func) from [<c01527c4>] (process_one_work+0x3dc/0x96c)
[<c01523e8>] (process_one_work) from [<c01541e0>] (worker_thread+0x4ec/0x8bc)
[<c0153cf4>] (worker_thread) from [<c015b238>] (kthread+0x230/0x240)
[<c015b008>] (kthread) from [<c01010bc>] (ret_from_fork+0x14/0x38)
Exception stack(0xcf743fb0 to 0xcf743ff8)
3fa0:                                     00000000 00000000 00000000 00000000
3fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
3fe0: 00000000 00000000 00000000 00000000 00000013 00000000

Allocated by task 132:
 kasan_kmalloc.part.1+0x58/0xf4
 kasan_kmalloc+0x90/0xa4
 kmem_cache_alloc_trace+0x90/0x2a0
 __hwmon_device_register+0xbc/0xa7c
 hwmon_device_register_with_info+0xa0/0xa8
 devm_hwmon_device_register_with_info+0x74/0xb4
 lm90_probe+0x414/0x578
 i2c_device_probe+0x35c/0x384
 really_probe+0x290/0x3e4
 driver_probe_device+0x80/0x1c4
 __device_attach_driver+0x104/0x11c
 bus_for_each_drv+0xa4/0xc8
 __device_attach+0xf0/0x15c
 device_initial_probe+0x1c/0x20
 bus_probe_device+0xdc/0xec
 deferred_probe_work_func+0xa8/0xd4
 process_one_work+0x3dc/0x96c
 worker_thread+0x4ec/0x8bc
 kthread+0x230/0x240
 ret_from_fork+0x14/0x38
   (null)

Freed by task 132:
 __kasan_slab_free+0x12c/0x200
 kasan_slab_free+0x14/0x18
 kfree+0x90/0x294
 hwmon_dev_release+0x1c/0x20
 device_release+0x4c/0xe8
 kobject_put+0xac/0x11c
 device_unregister+0x2c/0x30
 __hwmon_device_register+0xa58/0xa7c
 hwmon_device_register_with_info+0xa0/0xa8
 devm_hwmon_device_register_with_info+0x74/0xb4
 lm90_probe+0x414/0x578
 i2c_device_probe+0x35c/0x384
 really_probe+0x290/0x3e4
 driver_probe_device+0x80/0x1c4
 __device_attach_driver+0x104/0x11c
 bus_for_each_drv+0xa4/0xc8
 __device_attach+0xf0/0x15c
 device_initial_probe+0x1c/0x20
 bus_probe_device+0xdc/0xec
 deferred_probe_work_func+0xa8/0xd4
 process_one_work+0x3dc/0x96c
 worker_thread+0x4ec/0x8bc
 kthread+0x230/0x240
 ret_from_fork+0x14/0x38
   (null)

Cc: <stable@vger.kernel.org> # v4.15+
Fixes: 47c332deb8e8 ("hwmon: Deal with errors from the thermal subsystem")
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/hwmon.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/hwmon/hwmon.c
+++ b/drivers/hwmon/hwmon.c
@@ -631,8 +631,10 @@ __hwmon_device_register(struct device *d
 				if (info[i]->config[j] & HWMON_T_INPUT) {
 					err = hwmon_thermal_add_sensor(dev,
 								hwdev, j);
-					if (err)
-						goto free_device;
+					if (err) {
+						device_unregister(hdev);
+						goto ida_remove;
+					}
 				}
 			}
 		}
@@ -640,8 +642,6 @@ __hwmon_device_register(struct device *d
 
 	return hdev;
 
-free_device:
-	device_unregister(hdev);
 free_hwmon:
 	kfree(hwdev);
 ida_remove:



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 20/46] hwmon: (core) Do not use device managed functions for memory allocations
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 19/46] hwmon: (core) Fix double-free in __hwmon_device_register() Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 21/46] Input: keyspan-remote - fix control-message timeouts Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin K. Petersen, Guenter Roeck

From: Guenter Roeck <linux@roeck-us.net>

commit 3bf8bdcf3bada771eb12b57f2a30caee69e8ab8d upstream.

The hwmon core uses device managed functions, tied to the hwmon parent
device, for various internal memory allocations. This is problematic
since hwmon device lifetime does not necessarily match its parent's
device lifetime. If there is a mismatch, memory leaks will accumulate
until the parent device is released.

Fix the problem by managing all memory allocations internally. The only
exception is memory allocation for thermal device registration, which
can be tied to the hwmon device, along with thermal device registration
itself.

Fixes: d560168b5d0f ("hwmon: (core) New hwmon registration API")
Cc: stable@vger.kernel.org # v4.14.x: 47c332deb8e8: hwmon: Deal with errors from the thermal subsystem
Cc: stable@vger.kernel.org # v4.14.x: 74e3512731bd: hwmon: (core) Fix double-free in __hwmon_device_register()
Cc: stable@vger.kernel.org # v4.9.x: 3a412d5e4a1c: hwmon: (core) Simplify sysfs attribute name allocation
Cc: stable@vger.kernel.org # v4.9.x: 47c332deb8e8: hwmon: Deal with errors from the thermal subsystem
Cc: stable@vger.kernel.org # v4.9.x: 74e3512731bd: hwmon: (core) Fix double-free in __hwmon_device_register()
Cc: stable@vger.kernel.org # v4.9+
Cc: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/hwmon.c |   68 ++++++++++++++++++++++++++++++--------------------
 1 file changed, 41 insertions(+), 27 deletions(-)

--- a/drivers/hwmon/hwmon.c
+++ b/drivers/hwmon/hwmon.c
@@ -51,6 +51,7 @@ struct hwmon_device_attribute {
 
 #define to_hwmon_attr(d) \
 	container_of(d, struct hwmon_device_attribute, dev_attr)
+#define to_dev_attr(a) container_of(a, struct device_attribute, attr)
 
 /*
  * Thermal zone information
@@ -58,7 +59,7 @@ struct hwmon_device_attribute {
  * also provides the sensor index.
  */
 struct hwmon_thermal_data {
-	struct hwmon_device *hwdev;	/* Reference to hwmon device */
+	struct device *dev;		/* Reference to hwmon device */
 	int index;			/* sensor index */
 };
 
@@ -95,9 +96,27 @@ static const struct attribute_group *hwm
 	NULL
 };
 
+static void hwmon_free_attrs(struct attribute **attrs)
+{
+	int i;
+
+	for (i = 0; attrs[i]; i++) {
+		struct device_attribute *dattr = to_dev_attr(attrs[i]);
+		struct hwmon_device_attribute *hattr = to_hwmon_attr(dattr);
+
+		kfree(hattr);
+	}
+	kfree(attrs);
+}
+
 static void hwmon_dev_release(struct device *dev)
 {
-	kfree(to_hwmon_device(dev));
+	struct hwmon_device *hwdev = to_hwmon_device(dev);
+
+	if (hwdev->group.attrs)
+		hwmon_free_attrs(hwdev->group.attrs);
+	kfree(hwdev->groups);
+	kfree(hwdev);
 }
 
 static struct class hwmon_class = {
@@ -121,11 +140,11 @@ static DEFINE_IDA(hwmon_ida);
 static int hwmon_thermal_get_temp(void *data, int *temp)
 {
 	struct hwmon_thermal_data *tdata = data;
-	struct hwmon_device *hwdev = tdata->hwdev;
+	struct hwmon_device *hwdev = to_hwmon_device(tdata->dev);
 	int ret;
 	long t;
 
-	ret = hwdev->chip->ops->read(&hwdev->dev, hwmon_temp, hwmon_temp_input,
+	ret = hwdev->chip->ops->read(tdata->dev, hwmon_temp, hwmon_temp_input,
 				     tdata->index, &t);
 	if (ret < 0)
 		return ret;
@@ -139,8 +158,7 @@ static const struct thermal_zone_of_devi
 	.get_temp = hwmon_thermal_get_temp,
 };
 
-static int hwmon_thermal_add_sensor(struct device *dev,
-				    struct hwmon_device *hwdev, int index)
+static int hwmon_thermal_add_sensor(struct device *dev, int index)
 {
 	struct hwmon_thermal_data *tdata;
 	struct thermal_zone_device *tzd;
@@ -149,10 +167,10 @@ static int hwmon_thermal_add_sensor(stru
 	if (!tdata)
 		return -ENOMEM;
 
-	tdata->hwdev = hwdev;
+	tdata->dev = dev;
 	tdata->index = index;
 
-	tzd = devm_thermal_zone_of_sensor_register(&hwdev->dev, index, tdata,
+	tzd = devm_thermal_zone_of_sensor_register(dev, index, tdata,
 						   &hwmon_thermal_ops);
 	/*
 	 * If CONFIG_THERMAL_OF is disabled, this returns -ENODEV,
@@ -164,8 +182,7 @@ static int hwmon_thermal_add_sensor(stru
 	return 0;
 }
 #else
-static int hwmon_thermal_add_sensor(struct device *dev,
-				    struct hwmon_device *hwdev, int index)
+static int hwmon_thermal_add_sensor(struct device *dev, int index)
 {
 	return 0;
 }
@@ -242,8 +259,7 @@ static bool is_string_attr(enum hwmon_se
 	       (type == hwmon_fan && attr == hwmon_fan_label);
 }
 
-static struct attribute *hwmon_genattr(struct device *dev,
-				       const void *drvdata,
+static struct attribute *hwmon_genattr(const void *drvdata,
 				       enum hwmon_sensor_types type,
 				       u32 attr,
 				       int index,
@@ -271,7 +287,7 @@ static struct attribute *hwmon_genattr(s
 	if ((mode & S_IWUGO) && !ops->write)
 		return ERR_PTR(-EINVAL);
 
-	hattr = devm_kzalloc(dev, sizeof(*hattr), GFP_KERNEL);
+	hattr = kzalloc(sizeof(*hattr), GFP_KERNEL);
 	if (!hattr)
 		return ERR_PTR(-ENOMEM);
 
@@ -474,8 +490,7 @@ static int hwmon_num_channel_attrs(const
 	return n;
 }
 
-static int hwmon_genattrs(struct device *dev,
-			  const void *drvdata,
+static int hwmon_genattrs(const void *drvdata,
 			  struct attribute **attrs,
 			  const struct hwmon_ops *ops,
 			  const struct hwmon_channel_info *info)
@@ -501,7 +516,7 @@ static int hwmon_genattrs(struct device
 			attr_mask &= ~BIT(attr);
 			if (attr >= template_size)
 				return -EINVAL;
-			a = hwmon_genattr(dev, drvdata, info->type, attr, i,
+			a = hwmon_genattr(drvdata, info->type, attr, i,
 					  templates[attr], ops);
 			if (IS_ERR(a)) {
 				if (PTR_ERR(a) != -ENOENT)
@@ -515,8 +530,7 @@ static int hwmon_genattrs(struct device
 }
 
 static struct attribute **
-__hwmon_create_attrs(struct device *dev, const void *drvdata,
-		     const struct hwmon_chip_info *chip)
+__hwmon_create_attrs(const void *drvdata, const struct hwmon_chip_info *chip)
 {
 	int ret, i, aindex = 0, nattrs = 0;
 	struct attribute **attrs;
@@ -527,15 +541,17 @@ __hwmon_create_attrs(struct device *dev,
 	if (nattrs == 0)
 		return ERR_PTR(-EINVAL);
 
-	attrs = devm_kcalloc(dev, nattrs + 1, sizeof(*attrs), GFP_KERNEL);
+	attrs = kcalloc(nattrs + 1, sizeof(*attrs), GFP_KERNEL);
 	if (!attrs)
 		return ERR_PTR(-ENOMEM);
 
 	for (i = 0; chip->info[i]; i++) {
-		ret = hwmon_genattrs(dev, drvdata, &attrs[aindex], chip->ops,
+		ret = hwmon_genattrs(drvdata, &attrs[aindex], chip->ops,
 				     chip->info[i]);
-		if (ret < 0)
+		if (ret < 0) {
+			hwmon_free_attrs(attrs);
 			return ERR_PTR(ret);
+		}
 		aindex += ret;
 	}
 
@@ -577,14 +593,13 @@ __hwmon_device_register(struct device *d
 			for (i = 0; groups[i]; i++)
 				ngroups++;
 
-		hwdev->groups = devm_kcalloc(dev, ngroups, sizeof(*groups),
-					     GFP_KERNEL);
+		hwdev->groups = kcalloc(ngroups, sizeof(*groups), GFP_KERNEL);
 		if (!hwdev->groups) {
 			err = -ENOMEM;
 			goto free_hwmon;
 		}
 
-		attrs = __hwmon_create_attrs(dev, drvdata, chip);
+		attrs = __hwmon_create_attrs(drvdata, chip);
 		if (IS_ERR(attrs)) {
 			err = PTR_ERR(attrs);
 			goto free_hwmon;
@@ -629,8 +644,7 @@ __hwmon_device_register(struct device *d
 							   hwmon_temp_input, j))
 					continue;
 				if (info[i]->config[j] & HWMON_T_INPUT) {
-					err = hwmon_thermal_add_sensor(dev,
-								hwdev, j);
+					err = hwmon_thermal_add_sensor(hdev, j);
 					if (err) {
 						device_unregister(hdev);
 						goto ida_remove;
@@ -643,7 +657,7 @@ __hwmon_device_register(struct device *d
 	return hdev;
 
 free_hwmon:
-	kfree(hwdev);
+	hwmon_dev_release(hdev);
 ida_remove:
 	ida_simple_remove(&hwmon_ida, id);
 	return ERR_PTR(err);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 21/46] Input: keyspan-remote - fix control-message timeouts
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 20/46] hwmon: (core) Do not use device managed functions for memory allocations Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 22/46] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers" Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit ba9a103f40fc4a3ec7558ec9b0b97d4f92034249 upstream.

The driver was issuing synchronous uninterruptible control requests
without using a timeout. This could lead to the driver hanging on probe
due to a malfunctioning (or malicious) device until the device is
physically disconnected. While sleeping in probe the driver prevents
other devices connected to the same hub from being added to (or removed
from) the bus.

The USB upper limit of five seconds per request should be more than
enough.

Fixes: 99f83c9c9ac9 ("[PATCH] USB: add driver for Keyspan Digital Remote")
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@vger.kernel.org>     # 2.6.13
Link: https://lore.kernel.org/r/20200113171715.30621-1-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/misc/keyspan_remote.c |    9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

--- a/drivers/input/misc/keyspan_remote.c
+++ b/drivers/input/misc/keyspan_remote.c
@@ -344,7 +344,8 @@ static int keyspan_setup(struct usb_devi
 	int retval = 0;
 
 	retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
-				 0x11, 0x40, 0x5601, 0x0, NULL, 0, 0);
+				 0x11, 0x40, 0x5601, 0x0, NULL, 0,
+				 USB_CTRL_SET_TIMEOUT);
 	if (retval) {
 		dev_dbg(&dev->dev, "%s - failed to set bit rate due to error: %d\n",
 			__func__, retval);
@@ -352,7 +353,8 @@ static int keyspan_setup(struct usb_devi
 	}
 
 	retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
-				 0x44, 0x40, 0x0, 0x0, NULL, 0, 0);
+				 0x44, 0x40, 0x0, 0x0, NULL, 0,
+				 USB_CTRL_SET_TIMEOUT);
 	if (retval) {
 		dev_dbg(&dev->dev, "%s - failed to set resume sensitivity due to error: %d\n",
 			__func__, retval);
@@ -360,7 +362,8 @@ static int keyspan_setup(struct usb_devi
 	}
 
 	retval = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
-				 0x22, 0x40, 0x0, 0x0, NULL, 0, 0);
+				 0x22, 0x40, 0x0, 0x0, NULL, 0,
+				 USB_CTRL_SET_TIMEOUT);
 	if (retval) {
 		dev_dbg(&dev->dev, "%s - failed to turn receive on due to error: %d\n",
 			__func__, retval);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 22/46] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers"
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 21/46] Input: keyspan-remote - fix control-message timeouts Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 23/46] ARM: 8950/1: ftrace/recordmcount: filter relocation types Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Timo Kaufmann, Dmitry Torokhov

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit 8ff771f8c8d55d95f102cf88a970e541a8bd6bcf upstream.

This reverts commit a284e11c371e446371675668d8c8120a27227339.

This causes problems (drifting cursor) with at least the F11 function that
reads more than 32 bytes.

The real issue is in the F54 driver, and so this should be fixed there, and
not in rmi_smbus.c.

So first revert this bad commit, then fix the real problem in F54 in another
patch.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Reported-by: Timo Kaufmann <timokau@zoho.com>
Fixes: a284e11c371e ("Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20200115124819.3191024-2-hverkuil-cisco@xs4all.nl
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/rmi4/rmi_smbus.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/drivers/input/rmi4/rmi_smbus.c
+++ b/drivers/input/rmi4/rmi_smbus.c
@@ -166,6 +166,7 @@ static int rmi_smb_write_block(struct rm
 		/* prepare to write next block of bytes */
 		cur_len -= SMB_MAX_COUNT;
 		databuff += SMB_MAX_COUNT;
+		rmiaddr += SMB_MAX_COUNT;
 	}
 exit:
 	mutex_unlock(&rmi_smb->page_mutex);
@@ -217,6 +218,7 @@ static int rmi_smb_read_block(struct rmi
 		/* prepare to read next block of bytes */
 		cur_len -= SMB_MAX_COUNT;
 		databuff += SMB_MAX_COUNT;
+		rmiaddr += SMB_MAX_COUNT;
 	}
 
 	retval = 0;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 23/46] ARM: 8950/1: ftrace/recordmcount: filter relocation types
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 22/46] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers" Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 24/46] mmc: tegra: fix SDR50 tuning override Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Sverdlin,
	Steven Rostedt (VMware),
	Russell King

From: Alex Sverdlin <alexander.sverdlin@nokia.com>

commit 927d780ee371d7e121cea4fc7812f6ef2cea461c upstream.

Scenario 1, ARMv7
=================

If code in arch/arm/kernel/ftrace.c would operate on mcount() pointer
the following may be generated:

00000230 <prealloc_fixed_plts>:
 230:   b5f8            push    {r3, r4, r5, r6, r7, lr}
 232:   b500            push    {lr}
 234:   f7ff fffe       bl      0 <__gnu_mcount_nc>
                        234: R_ARM_THM_CALL     __gnu_mcount_nc
 238:   f240 0600       movw    r6, #0
                        238: R_ARM_THM_MOVW_ABS_NC      __gnu_mcount_nc
 23c:   f8d0 1180       ldr.w   r1, [r0, #384]  ; 0x180

FTRACE currently is not able to deal with it:

WARNING: CPU: 0 PID: 0 at .../kernel/trace/ftrace.c:1979 ftrace_bug+0x1ad/0x230()
...
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.116-... #1
...
[<c0314e3d>] (unwind_backtrace) from [<c03115e9>] (show_stack+0x11/0x14)
[<c03115e9>] (show_stack) from [<c051a7f1>] (dump_stack+0x81/0xa8)
[<c051a7f1>] (dump_stack) from [<c0321c5d>] (warn_slowpath_common+0x69/0x90)
[<c0321c5d>] (warn_slowpath_common) from [<c0321cf3>] (warn_slowpath_null+0x17/0x1c)
[<c0321cf3>] (warn_slowpath_null) from [<c038ee9d>] (ftrace_bug+0x1ad/0x230)
[<c038ee9d>] (ftrace_bug) from [<c038f1f9>] (ftrace_process_locs+0x27d/0x444)
[<c038f1f9>] (ftrace_process_locs) from [<c08915bd>] (ftrace_init+0x91/0xe8)
[<c08915bd>] (ftrace_init) from [<c0885a67>] (start_kernel+0x34b/0x358)
[<c0885a67>] (start_kernel) from [<00308095>] (0x308095)
---[ end trace cb88537fdc8fa200 ]---
ftrace failed to modify [<c031266c>] prealloc_fixed_plts+0x8/0x60
 actual: 44:f2:e1:36
ftrace record flags: 0
 (0)   expected tramp: c03143e9

Scenario 2, ARMv4T
==================

ftrace: allocating 14435 entries in 43 pages
------------[ cut here ]------------
WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:2029 ftrace_bug+0x204/0x310
CPU: 0 PID: 0 Comm: swapper Not tainted 4.19.5 #1
Hardware name: Cirrus Logic EDB9302 Evaluation Board
[<c0010a24>] (unwind_backtrace) from [<c000ecb0>] (show_stack+0x20/0x2c)
[<c000ecb0>] (show_stack) from [<c03c72e8>] (dump_stack+0x20/0x30)
[<c03c72e8>] (dump_stack) from [<c0021c18>] (__warn+0xdc/0x104)
[<c0021c18>] (__warn) from [<c0021d7c>] (warn_slowpath_null+0x4c/0x5c)
[<c0021d7c>] (warn_slowpath_null) from [<c0095360>] (ftrace_bug+0x204/0x310)
[<c0095360>] (ftrace_bug) from [<c04dabac>] (ftrace_init+0x3b4/0x4d4)
[<c04dabac>] (ftrace_init) from [<c04cef4c>] (start_kernel+0x20c/0x410)
[<c04cef4c>] (start_kernel) from [<00000000>] (  (null))
---[ end trace 0506a2f5dae6b341 ]---
ftrace failed to modify
[<c000c350>] perf_trace_sys_exit+0x5c/0xe8
 actual:   1e:ff:2f:e1
Initializing ftrace call sites
ftrace record flags: 0
 (0)
 expected tramp: c000fb24

The analysis for this problem has been already performed previously,
refer to the link below.

Fix the above problems by allowing only selected reloc types in
__mcount_loc. The list itself comes from the legacy recordmcount.pl
script.

Link: https://lore.kernel.org/lkml/56961010.6000806@pengutronix.de/
Cc: stable@vger.kernel.org
Fixes: ed60453fa8f8 ("ARM: 6511/1: ftrace: add ARM support for C version of recordmcount")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Acked-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 scripts/recordmcount.c |   17 +++++++++++++++++
 1 file changed, 17 insertions(+)

--- a/scripts/recordmcount.c
+++ b/scripts/recordmcount.c
@@ -53,6 +53,10 @@
 #define R_AARCH64_ABS64	257
 #endif
 
+#define R_ARM_PC24		1
+#define R_ARM_THM_CALL		10
+#define R_ARM_CALL		28
+
 static int fd_map;	/* File descriptor for file being modified. */
 static int mmap_failed; /* Boolean flag. */
 static char gpfx;	/* prefix for global symbol name (sometimes '_') */
@@ -428,6 +432,18 @@ is_mcounted_section_name(char const *con
 #define RECORD_MCOUNT_64
 #include "recordmcount.h"
 
+static int arm_is_fake_mcount(Elf32_Rel const *rp)
+{
+	switch (ELF32_R_TYPE(w(rp->r_info))) {
+	case R_ARM_THM_CALL:
+	case R_ARM_CALL:
+	case R_ARM_PC24:
+		return 0;
+	}
+
+	return 1;
+}
+
 /* 64-bit EM_MIPS has weird ELF64_Rela.r_info.
  * http://techpubs.sgi.com/library/manuals/4000/007-4658-001/pdf/007-4658-001.pdf
  * We interpret Table 29 Relocation Operation (Elf64_Rel, Elf64_Rela) [p.40]
@@ -529,6 +545,7 @@ do_file(char const *const fname)
 			 altmcount = "__gnu_mcount_nc";
 			 make_nop = make_nop_arm;
 			 rel_type_nop = R_ARM_NONE;
+			 is_fake_mcount32 = arm_is_fake_mcount;
 			 break;
 	case EM_AARCH64:
 			reltype = R_AARCH64_ABS64;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 24/46] mmc: tegra: fix SDR50 tuning override
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 23/46] ARM: 8950/1: ftrace/recordmcount: filter relocation types Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:57 ` [PATCH 4.14 25/46] mmc: sdhci: fix minimum clock rate for v3 controller Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Adrian Hunter, Thierry Reding,
	Michał Mirosław, Ulf Hansson

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>

commit f571389c0b015e76f91c697c4c1700aba860d34f upstream.

Commit 7ad2ed1dfcbe inadvertently mixed up a quirk flag's name and
broke SDR50 tuning override. Use correct NVQUIRK_ name.

Fixes: 7ad2ed1dfcbe ("mmc: tegra: enable UHS-I modes")
Cc: <stable@vger.kernel.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Tested-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Link: https://lore.kernel.org/r/9aff1d859935e59edd81e4939e40d6c55e0b55f6.1578390388.git.mirq-linux@rere.qmqm.pl
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci-tegra.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/sdhci-tegra.c
+++ b/drivers/mmc/host/sdhci-tegra.c
@@ -177,7 +177,7 @@ static void tegra_sdhci_reset(struct sdh
 			misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_DDR50;
 		if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR104)
 			misc_ctrl |= SDHCI_MISC_CTRL_ENABLE_SDR104;
-		if (soc_data->nvquirks & SDHCI_MISC_CTRL_ENABLE_SDR50)
+		if (soc_data->nvquirks & NVQUIRK_ENABLE_SDR50)
 			clk_ctrl |= SDHCI_CLOCK_CTRL_SDR50_TUNING_OVERRIDE;
 	}
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 25/46] mmc: sdhci: fix minimum clock rate for v3 controller
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 24/46] mmc: tegra: fix SDR50 tuning override Greg Kroah-Hartman
@ 2020-01-28 13:57 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 26/46] Documentation: Document arm64 kpti control Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:57 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Michał Mirosław,
	Adrian Hunter, Ulf Hansson

From: Michał Mirosław <mirq-linux@rere.qmqm.pl>

commit 2a187d03352086e300daa2044051db00044cd171 upstream.

For SDHCIv3+ with programmable clock mode, minimal clock frequency is
still base clock / max(divider). Minimal programmable clock frequency is
always greater than minimal divided clock frequency. Without this patch,
SDHCI uses out-of-spec initial frequency when multiplier is big enough:

mmc1: mmc_rescan_try_freq: trying to init card at 468750 Hz
[for 480 MHz source clock divided by 1024]

The code in sdhci_calc_clk() already chooses a correct SDCLK clock mode.

Fixes: c3ed3877625f ("mmc: sdhci: add support for programmable clock mode")
Cc: <stable@vger.kernel.org> # 4f6aa3264af4: mmc: tegra: Only advertise UHS modes if IO regulator is present
Cc: <stable@vger.kernel.org>
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/ffb489519a446caffe7a0a05c4b9372bd52397bb.1579082031.git.mirq-linux@rere.qmqm.pl
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -3592,11 +3592,13 @@ int sdhci_setup_host(struct sdhci_host *
 	if (host->ops->get_min_clock)
 		mmc->f_min = host->ops->get_min_clock(host);
 	else if (host->version >= SDHCI_SPEC_300) {
-		if (host->clk_mul) {
-			mmc->f_min = (host->max_clk * host->clk_mul) / 1024;
+		if (host->clk_mul)
 			max_clk = host->max_clk * host->clk_mul;
-		} else
-			mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300;
+		/*
+		 * Divided Clock Mode minimum clock rate is always less than
+		 * Programmable Clock Mode minimum clock rate.
+		 */
+		mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_300;
 	} else
 		mmc->f_min = host->max_clk / SDHCI_MAX_DIV_SPEC_200;
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 26/46] Documentation: Document arm64 kpti control
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2020-01-28 13:57 ` [PATCH 4.14 25/46] mmc: sdhci: fix minimum clock rate for v3 controller Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 27/46] Input: pm8xxx-vib - fix handling of separate enable register Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jeremy Linton, Andre Przywara,
	Jonathan Corbet

From: Jeremy Linton <jeremy.linton@arm.com>

commit de19055564c8f8f9d366f8db3395836da0b2176c upstream.

For a while Arm64 has been capable of force enabling
or disabling the kpti mitigations. Lets make sure the
documentation reflects that.

Signed-off-by: Jeremy Linton <jeremy.linton@arm.com>
Reviewed-by: Andre Przywara <andre.przywara@arm.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 Documentation/admin-guide/kernel-parameters.txt |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -1845,6 +1845,12 @@
 			Built with CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y,
 			the default is off.
 
+	kpti=		[ARM64] Control page table isolation of user
+			and kernel address spaces.
+			Default: enabled on cores which need mitigation.
+			0: force disabled
+			1: force enabled
+
 	kvm.ignore_msrs=[KVM] Ignore guest accesses to unhandled MSRs.
 			Default is 0 (don't ignore, but inject #GP)
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 27/46] Input: pm8xxx-vib - fix handling of separate enable register
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 26/46] Documentation: Document arm64 kpti control Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 28/46] Input: sur40 - fix interface sanity checks Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Stephan Gerhold, Dmitry Torokhov

From: Stephan Gerhold <stephan@gerhold.net>

commit 996d5d5f89a558a3608a46e73ccd1b99f1b1d058 upstream.

Setting the vibrator enable_mask is not implemented correctly:

For regmap_update_bits(map, reg, mask, val) we give in either
regs->enable_mask or 0 (= no-op) as mask and "val" as value.
But "val" actually refers to the vibrator voltage control register,
which has nothing to do with the enable_mask.

So we usually end up doing nothing when we really wanted
to enable the vibrator.

We want to set or clear the enable_mask (to enable/disable the vibrator).
Therefore, change the call to always modify the enable_mask
and set the bits only if we want to enable the vibrator.

Fixes: d4c7c5c96c92 ("Input: pm8xxx-vib - handle separate enable register")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Link: https://lore.kernel.org/r/20200114183442.45720-1-stephan@gerhold.net
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/misc/pm8xxx-vibrator.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/misc/pm8xxx-vibrator.c
+++ b/drivers/input/misc/pm8xxx-vibrator.c
@@ -98,7 +98,7 @@ static int pm8xxx_vib_set(struct pm8xxx_
 
 	if (regs->enable_mask)
 		rc = regmap_update_bits(vib->regmap, regs->enable_addr,
-					on ? regs->enable_mask : 0, val);
+					regs->enable_mask, on ? ~0 : 0);
 
 	return rc;
 }



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 28/46] Input: sur40 - fix interface sanity checks
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 27/46] Input: pm8xxx-vib - fix handling of separate enable register Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 29/46] Input: gtco - fix endpoint sanity check Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Vladis Dronov, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit 6b32391ed675827f8425a414abbc6fbd54ea54fe upstream.

Make sure to use the current alternate setting when verifying the
interface descriptors to avoid binding to an invalid interface.

This in turn could cause the driver to misbehave or trigger a WARN() in
usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40 (aka MS Surface 2.0/Pixelsense)")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-8-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/sur40.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/touchscreen/sur40.c
+++ b/drivers/input/touchscreen/sur40.c
@@ -537,7 +537,7 @@ static int sur40_probe(struct usb_interf
 	int error;
 
 	/* Check if we really have the right interface. */
-	iface_desc = &interface->altsetting[0];
+	iface_desc = interface->cur_altsetting;
 	if (iface_desc->desc.bInterfaceClass != 0xFF)
 		return -ENODEV;
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 29/46] Input: gtco - fix endpoint sanity check
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 28/46] Input: sur40 - fix interface sanity checks Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 30/46] Input: aiptek " Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Vladis Dronov, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit a8eeb74df5a6bdb214b2b581b14782c5f5a0cf83 upstream.

The driver was checking the number of endpoints of the first alternate
setting instead of the current one, something which could lead to the
driver binding to an invalid interface.

This in turn could cause the driver to misbehave or trigger a WARN() in
usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 162f98dea487 ("Input: gtco - fix crash on detecting device without endpoints")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-5-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/tablet/gtco.c |   10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

--- a/drivers/input/tablet/gtco.c
+++ b/drivers/input/tablet/gtco.c
@@ -875,18 +875,14 @@ static int gtco_probe(struct usb_interfa
 	}
 
 	/* Sanity check that a device has an endpoint */
-	if (usbinterface->altsetting[0].desc.bNumEndpoints < 1) {
+	if (usbinterface->cur_altsetting->desc.bNumEndpoints < 1) {
 		dev_err(&usbinterface->dev,
 			"Invalid number of endpoints\n");
 		error = -EINVAL;
 		goto err_free_urb;
 	}
 
-	/*
-	 * The endpoint is always altsetting 0, we know this since we know
-	 * this device only has one interrupt endpoint
-	 */
-	endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
+	endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
 
 	/* Some debug */
 	dev_dbg(&usbinterface->dev, "gtco # interfaces: %d\n", usbinterface->num_altsetting);
@@ -973,7 +969,7 @@ static int gtco_probe(struct usb_interfa
 	input_dev->dev.parent = &usbinterface->dev;
 
 	/* Setup the URB, it will be posted later on open of input device */
-	endpoint = &usbinterface->altsetting[0].endpoint[0].desc;
+	endpoint = &usbinterface->cur_altsetting->endpoint[0].desc;
 
 	usb_fill_int_urb(gtco->urbinfo,
 			 udev,



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 30/46] Input: aiptek - fix endpoint sanity check
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 29/46] Input: gtco - fix endpoint sanity check Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 31/46] Input: pegasus_notetaker " Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Vladis Dronov, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit 3111491fca4f01764e0c158c5e0f7ced808eef51 upstream.

The driver was checking the number of endpoints of the first alternate
setting instead of the current one, something which could lead to the
driver binding to an invalid interface.

This in turn could cause the driver to misbehave or trigger a WARN() in
usb_submit_urb() that kernels with panic_on_warn set would choke on.

Fixes: 8e20cf2bce12 ("Input: aiptek - fix crash on detecting device without endpoints")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-3-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/tablet/aiptek.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/drivers/input/tablet/aiptek.c
+++ b/drivers/input/tablet/aiptek.c
@@ -1822,14 +1822,14 @@ aiptek_probe(struct usb_interface *intf,
 	input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0);
 
 	/* Verify that a device really has an endpoint */
-	if (intf->altsetting[0].desc.bNumEndpoints < 1) {
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
 		dev_err(&intf->dev,
 			"interface has %d endpoints, but must have minimum 1\n",
-			intf->altsetting[0].desc.bNumEndpoints);
+			intf->cur_altsetting->desc.bNumEndpoints);
 		err = -EINVAL;
 		goto fail3;
 	}
-	endpoint = &intf->altsetting[0].endpoint[0].desc;
+	endpoint = &intf->cur_altsetting->endpoint[0].desc;
 
 	/* Go set up our URB, which is called when the tablet receives
 	 * input.



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 31/46] Input: pegasus_notetaker - fix endpoint sanity check
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 30/46] Input: aiptek " Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 32/46] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Martin Kepplinger,
	Vladis Dronov, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit bcfcb7f9b480dd0be8f0df2df17340ca92a03b98 upstream.

The driver was checking the number of endpoints of the first alternate
setting instead of the current one, something which could be used by a
malicious device (or USB descriptor fuzzer) to trigger a NULL-pointer
dereference.

Fixes: 1afca2b66aac ("Input: add Pegasus Notetaker tablet driver")
Signed-off-by: Johan Hovold <johan@kernel.org>
Acked-by: Martin Kepplinger <martink@posteo.de>
Acked-by: Vladis Dronov <vdronov@redhat.com>
Link: https://lore.kernel.org/r/20191210113737.4016-2-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/tablet/pegasus_notetaker.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/tablet/pegasus_notetaker.c
+++ b/drivers/input/tablet/pegasus_notetaker.c
@@ -260,7 +260,7 @@ static int pegasus_probe(struct usb_inte
 		return -ENODEV;
 
 	/* Sanity check that the device has an endpoint */
-	if (intf->altsetting[0].desc.bNumEndpoints < 1) {
+	if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
 		dev_err(&intf->dev, "Invalid number of endpoints\n");
 		return -EINVAL;
 	}



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 32/46] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 31/46] Input: pegasus_notetaker " Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 33/46] hwmon: (nct7802) Fix voltage limits to wrong registers Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuhong Yuan, Dmitry Torokhov

From: Chuhong Yuan <hslester96@gmail.com>

commit 97e24b095348a15ec08c476423c3b3b939186ad7 upstream.

The driver misses a check for devm_thermal_zone_of_sensor_register().
Add a check to fix it.

Fixes: e28d0c9cd381 ("input: convert sun4i-ts to use devm_thermal_zone_of_sensor_register")
Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/sun4i-ts.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/drivers/input/touchscreen/sun4i-ts.c
+++ b/drivers/input/touchscreen/sun4i-ts.c
@@ -246,6 +246,7 @@ static int sun4i_ts_probe(struct platfor
 	struct device *dev = &pdev->dev;
 	struct device_node *np = dev->of_node;
 	struct device *hwmon;
+	struct thermal_zone_device *thermal;
 	int error;
 	u32 reg;
 	bool ts_attached;
@@ -365,7 +366,10 @@ static int sun4i_ts_probe(struct platfor
 	if (IS_ERR(hwmon))
 		return PTR_ERR(hwmon);
 
-	devm_thermal_zone_of_sensor_register(ts->dev, 0, ts, &sun4i_ts_tz_ops);
+	thermal = devm_thermal_zone_of_sensor_register(ts->dev, 0, ts,
+						       &sun4i_ts_tz_ops);
+	if (IS_ERR(thermal))
+		return PTR_ERR(thermal);
 
 	writel(TEMP_IRQ_EN(1), ts->base + TP_INT_FIFOC);
 



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 33/46] hwmon: (nct7802) Fix voltage limits to wrong registers
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 32/46] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 34/46] scsi: RDMA/isert: Fix a recently introduced regression related to logout Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Gilles Buloz, Guenter Roeck

From: Gilles Buloz <gilles.buloz@kontron.com>

commit 7713e62c8623c54dac88d1fa724aa487a38c3efb upstream.

in0 thresholds are written to the in2 thresholds registers
in2 thresholds to in3 thresholds
in3 thresholds to in4 thresholds
in4 thresholds to in0 thresholds

Signed-off-by: Gilles Buloz <gilles.buloz@kontron.com>
Link: https://lore.kernel.org/r/5de0f509.rc0oEvPOMjbfPW1w%gilles.buloz@kontron.com
Fixes: 3434f3783580 ("hwmon: Driver for Nuvoton NCT7802Y")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwmon/nct7802.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- a/drivers/hwmon/nct7802.c
+++ b/drivers/hwmon/nct7802.c
@@ -32,8 +32,8 @@
 static const u8 REG_VOLTAGE[5] = { 0x09, 0x0a, 0x0c, 0x0d, 0x0e };
 
 static const u8 REG_VOLTAGE_LIMIT_LSB[2][5] = {
-	{ 0x40, 0x00, 0x42, 0x44, 0x46 },
-	{ 0x3f, 0x00, 0x41, 0x43, 0x45 },
+	{ 0x46, 0x00, 0x40, 0x42, 0x44 },
+	{ 0x45, 0x00, 0x3f, 0x41, 0x43 },
 };
 
 static const u8 REG_VOLTAGE_LIMIT_MSB[5] = { 0x48, 0x00, 0x47, 0x47, 0x48 };



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 34/46] scsi: RDMA/isert: Fix a recently introduced regression related to logout
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 33/46] hwmon: (nct7802) Fix voltage limits to wrong registers Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 35/46] tracing: xen: Ordered comparison of function pointers Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Rahul Kundu, Bart Van Assche,
	Mike Marciniszyn, Sagi Grimberg, Martin K. Petersen

From: Bart Van Assche <bvanassche@acm.org>

commit 04060db41178c7c244f2c7dcd913e7fd331de915 upstream.

iscsit_close_connection() calls isert_wait_conn(). Due to commit
e9d3009cb936 both functions call target_wait_for_sess_cmds() although that
last function should be called only once. Fix this by removing the
target_wait_for_sess_cmds() call from isert_wait_conn() and by only calling
isert_wait_conn() after target_wait_for_sess_cmds().

Fixes: e9d3009cb936 ("scsi: target: iscsi: Wait for all commands to finish before freeing a session").
Link: https://lore.kernel.org/r/20200116044737.19507-1-bvanassche@acm.org
Reported-by: Rahul Kundu <rahul.kundu@chelsio.com>
Signed-off-by: Bart Van Assche <bvanassche@acm.org>
Tested-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Acked-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/infiniband/ulp/isert/ib_isert.c |   12 ------------
 drivers/target/iscsi/iscsi_target.c     |    6 +++---
 2 files changed, 3 insertions(+), 15 deletions(-)

--- a/drivers/infiniband/ulp/isert/ib_isert.c
+++ b/drivers/infiniband/ulp/isert/ib_isert.c
@@ -2582,17 +2582,6 @@ isert_wait4logout(struct isert_conn *ise
 	}
 }
 
-static void
-isert_wait4cmds(struct iscsi_conn *conn)
-{
-	isert_info("iscsi_conn %p\n", conn);
-
-	if (conn->sess) {
-		target_sess_cmd_list_set_waiting(conn->sess->se_sess);
-		target_wait_for_sess_cmds(conn->sess->se_sess);
-	}
-}
-
 /**
  * isert_put_unsol_pending_cmds() - Drop commands waiting for
  *     unsolicitate dataout
@@ -2640,7 +2629,6 @@ static void isert_wait_conn(struct iscsi
 
 	ib_drain_qp(isert_conn->qp);
 	isert_put_unsol_pending_cmds(conn);
-	isert_wait4cmds(conn);
 	isert_wait4logout(isert_conn);
 
 	queue_work(isert_release_wq, &isert_conn->release_work);
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4155,9 +4155,6 @@ int iscsit_close_connection(
 	iscsit_stop_nopin_response_timer(conn);
 	iscsit_stop_nopin_timer(conn);
 
-	if (conn->conn_transport->iscsit_wait_conn)
-		conn->conn_transport->iscsit_wait_conn(conn);
-
 	/*
 	 * During Connection recovery drop unacknowledged out of order
 	 * commands for this connection, and prepare the other commands
@@ -4243,6 +4240,9 @@ int iscsit_close_connection(
 	target_sess_cmd_list_set_waiting(sess->se_sess);
 	target_wait_for_sess_cmds(sess->se_sess);
 
+	if (conn->conn_transport->iscsit_wait_conn)
+		conn->conn_transport->iscsit_wait_conn(conn);
+
 	ahash_request_free(conn->conn_tx_hash);
 	if (conn->conn_rx_hash) {
 		struct crypto_ahash *tfm;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 35/46] tracing: xen: Ordered comparison of function pointers
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 34/46] scsi: RDMA/isert: Fix a recently introduced regression related to logout Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 36/46] do_last(): fetch directory ->i_mode and ->i_uid before its too late Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Changbin Du, Steven Rostedt (VMware)

From: Changbin Du <changbin.du@gmail.com>

commit d0695e2351102affd8efae83989056bc4b275917 upstream.

Just as commit 0566e40ce7 ("tracing: initcall: Ordered comparison of
function pointers"), this patch fixes another remaining one in xen.h
found by clang-9.

In file included from arch/x86/xen/trace.c:21:
In file included from ./include/trace/events/xen.h:475:
In file included from ./include/trace/define_trace.h:102:
In file included from ./include/trace/trace_events.h:473:
./include/trace/events/xen.h:69:7: warning: ordered comparison of function \
pointers ('xen_mc_callback_fn_t' (aka 'void (*)(void *)') and 'xen_mc_callback_fn_t') [-Wordered-compare-function-pointers]
                    __field(xen_mc_callback_fn_t, fn)
                    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/trace/trace_events.h:421:29: note: expanded from macro '__field'
                                ^
./include/trace/trace_events.h:407:6: note: expanded from macro '__field_ext'
                                 is_signed_type(type), filter_type);    \
                                 ^
./include/linux/trace_events.h:554:44: note: expanded from macro 'is_signed_type'
                                              ^

Fixes: c796f213a6934 ("xen/trace: add multicall tracing")
Signed-off-by: Changbin Du <changbin.du@gmail.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/trace/events/xen.h |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/include/trace/events/xen.h
+++ b/include/trace/events/xen.h
@@ -66,7 +66,11 @@ TRACE_EVENT(xen_mc_callback,
 	    TP_PROTO(xen_mc_callback_fn_t fn, void *data),
 	    TP_ARGS(fn, data),
 	    TP_STRUCT__entry(
-		    __field(xen_mc_callback_fn_t, fn)
+		    /*
+		     * Use field_struct to avoid is_signed_type()
+		     * comparison of a function pointer.
+		     */
+		    __field_struct(xen_mc_callback_fn_t, fn)
 		    __field(void *, data)
 		    ),
 	    TP_fast_assign(



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 36/46] do_last(): fetch directory ->i_mode and ->i_uid before its too late
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 35/46] tracing: xen: Ordered comparison of function pointers Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 37/46] sd: Fix REQ_OP_ZONE_REPORT completion handling Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

From: Al Viro <viro@zeniv.linux.org.uk>

commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream.

may_create_in_sticky() call is done when we already have dropped the
reference to dir.

Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and regular files)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/namei.c |   17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1023,7 +1023,8 @@ static int may_linkat(struct path *link)
  * may_create_in_sticky - Check whether an O_CREAT open in a sticky directory
  *			  should be allowed, or not, on files that already
  *			  exist.
- * @dir: the sticky parent directory
+ * @dir_mode: mode bits of directory
+ * @dir_uid: owner of directory
  * @inode: the inode of the file to open
  *
  * Block an O_CREAT open of a FIFO (or a regular file) when:
@@ -1039,18 +1040,18 @@ static int may_linkat(struct path *link)
  *
  * Returns 0 if the open is allowed, -ve on error.
  */
-static int may_create_in_sticky(struct dentry * const dir,
+static int may_create_in_sticky(umode_t dir_mode, kuid_t dir_uid,
 				struct inode * const inode)
 {
 	if ((!sysctl_protected_fifos && S_ISFIFO(inode->i_mode)) ||
 	    (!sysctl_protected_regular && S_ISREG(inode->i_mode)) ||
-	    likely(!(dir->d_inode->i_mode & S_ISVTX)) ||
-	    uid_eq(inode->i_uid, dir->d_inode->i_uid) ||
+	    likely(!(dir_mode & S_ISVTX)) ||
+	    uid_eq(inode->i_uid, dir_uid) ||
 	    uid_eq(current_fsuid(), inode->i_uid))
 		return 0;
 
-	if (likely(dir->d_inode->i_mode & 0002) ||
-	    (dir->d_inode->i_mode & 0020 &&
+	if (likely(dir_mode & 0002) ||
+	    (dir_mode & 0020 &&
 	     ((sysctl_protected_fifos >= 2 && S_ISFIFO(inode->i_mode)) ||
 	      (sysctl_protected_regular >= 2 && S_ISREG(inode->i_mode))))) {
 		return -EACCES;
@@ -3265,6 +3266,8 @@ static int do_last(struct nameidata *nd,
 		   int *opened)
 {
 	struct dentry *dir = nd->path.dentry;
+	kuid_t dir_uid = dir->d_inode->i_uid;
+	umode_t dir_mode = dir->d_inode->i_mode;
 	int open_flag = op->open_flag;
 	bool will_truncate = (open_flag & O_TRUNC) != 0;
 	bool got_write = false;
@@ -3400,7 +3403,7 @@ finish_open:
 		error = -EISDIR;
 		if (d_is_dir(nd->path.dentry))
 			goto out;
-		error = may_create_in_sticky(dir,
+		error = may_create_in_sticky(dir_mode, dir_uid,
 					     d_backing_inode(nd->path.dentry));
 		if (unlikely(error))
 			goto out;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 37/46] sd: Fix REQ_OP_ZONE_REPORT completion handling
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 36/46] do_last(): fetch directory ->i_mode and ->i_uid before its too late Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 38/46] coresight: etb10: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Damien Le Moal, Masato Suzuki,
	Martin K. Petersen

From: Masato Suzuki <masato.suzuki@wdc.com>


ZBC/ZAC report zones command may return less bytes than requested if the
number of matching zones for the report request is small. However, unlike
read or write commands, the remainder of incomplete report zones commands
cannot be automatically requested by the block layer: the start sector of
the next report cannot be known, and the report reply may not be 512B
aligned for SAS drives (a report zone reply size is always a multiple of
64B). The regular request completion code executing bio_advance() and
restart of the command remainder part currently causes invalid zone
descriptor data to be reported to the caller if the report zone size is
smaller than 512B (a case that can happen easily for a report of the last
zones of a SAS drive for example).

Since blkdev_report_zones() handles report zone command processing in a
loop until completion (no more zones are being reported), we can safely
avoid that the block layer performs an incorrect bio_advance() call and
restart of the remainder of incomplete report zone BIOs. To do so, always
indicate a full completion of REQ_OP_ZONE_REPORT by setting good_bytes to
the request buffer size and by setting the command resid to 0. This does
not affect the post processing of the report zone reply done by
sd_zbc_complete() since the reply header indicates the number of zones
reported.

Fixes: 89d947561077 ("sd: Implement support for ZBC devices")
Cc: <stable@vger.kernel.org> # 4.19
Cc: <stable@vger.kernel.org> # 4.14
Signed-off-by: Masato Suzuki <masato.suzuki@wdc.com>
Reviewed-by: Damien Le Moal <damien.lemoal@wdc.com>
Acked-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/sd.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1981,9 +1981,13 @@ static int sd_done(struct scsi_cmnd *SCp
 		}
 		break;
 	case REQ_OP_ZONE_REPORT:
+		/* To avoid that the block layer performs an incorrect
+		 * bio_advance() call and restart of the remainder of
+		 * incomplete report zone BIOs, always indicate a full
+		 * completion of REQ_OP_ZONE_REPORT.
+		 */
 		if (!result) {
-			good_bytes = scsi_bufflen(SCpnt)
-				- scsi_get_resid(SCpnt);
+			good_bytes = scsi_bufflen(SCpnt);
 			scsi_set_resid(SCpnt, 0);
 		} else {
 			good_bytes = 0;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 38/46] coresight: etb10: Do not call smp_processor_id from preemptible
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 37/46] sd: Fix REQ_OP_ZONE_REPORT completion handling Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 39/46] coresight: tmc-etf: " Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathieu Poirier, Suzuki K Poulose

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit 730766bae3280a25d40ea76a53dc6342e84e6513 upstream.

During a perf session we try to allocate buffers on the "node" associated
with the CPU the event is bound to. If it is not bound to a CPU, we
use the current CPU node, using smp_processor_id(). However this is unsafe
in a pre-emptible context and could generate the splats as below :

 BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544

Use NUMA_NO_NODE hint instead of using the current node for events
not bound to CPUs.

Fixes: 2997aa4063d97fdb39 ("coresight: etb10: implementing AUX API")
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: stable <stable@vger.kernel.org> # 4.6+
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20190620221237.3536-5-mathieu.poirier@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/hwtracing/coresight/coresight-etb10.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/hwtracing/coresight/coresight-etb10.c
+++ b/drivers/hwtracing/coresight/coresight-etb10.c
@@ -287,9 +287,7 @@ static void *etb_alloc_buffer(struct cor
 	int node;
 	struct cs_buffers *buf;
 
-	if (cpu == -1)
-		cpu = smp_processor_id();
-	node = cpu_to_node(cpu);
+	node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu);
 
 	buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);
 	if (!buf)



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 39/46] coresight: tmc-etf: Do not call smp_processor_id from preemptible
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 38/46] coresight: etb10: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mathieu Poirier, Suzuki K Poulose

From: Suzuki K Poulose <suzuki.poulose@arm.com>

commit 024c1fd9dbcc1d8a847f1311f999d35783921b7f upstream.

During a perf session we try to allocate buffers on the "node" associated
with the CPU the event is bound to. If it is not bound to a CPU, we
use the current CPU node, using smp_processor_id(). However this is unsafe
in a pre-emptible context and could generate the splats as below :

 BUG: using smp_processor_id() in preemptible [00000000] code: perf/2544
 caller is tmc_alloc_etf_buffer+0x5c/0x60
 CPU: 2 PID: 2544 Comm: perf Not tainted 5.1.0-rc6-147786-g116841e #344
 Hardware name: ARM LTD ARM Juno Development Platform/ARM Juno Development Platform, BIOS EDK II Feb  1 2019
 Call trace:
  dump_backtrace+0x0/0x150
  show_stack+0x14/0x20
  dump_stack+0x9c/0xc4
  debug_smp_processor_id+0x10c/0x110
  tmc_alloc_etf_buffer+0x5c/0x60
  etm_setup_aux+0x1c4/0x230
  rb_alloc_aux+0x1b8/0x2b8
  perf_mmap+0x35c/0x478
  mmap_region+0x34c/0x4f0
  do_mmap+0x2d8/0x418
  vm_mmap_pgoff+0xd0/0xf8
  ksys_mmap_pgoff+0x88/0xf8
  __arm64_sys_mmap+0x28/0x38
  el0_svc_handler+0xd8/0x138
  el0_svc+0x8/0xc

Use NUMA_NO_NODE hint instead of using the current node for events
not bound to CPUs.

Fixes: 2e499bbc1a929ac ("coresight: tmc: implementing TMC-ETF AUX space API")
Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Cc: stable <stable@vger.kernel.org> # 4.7+
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Link: https://lore.kernel.org/r/20190620221237.3536-4-mathieu.poirier@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/hwtracing/coresight/coresight-tmc-etf.c |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

--- a/drivers/hwtracing/coresight/coresight-tmc-etf.c
+++ b/drivers/hwtracing/coresight/coresight-tmc-etf.c
@@ -308,9 +308,7 @@ static void *tmc_alloc_etf_buffer(struct
 	int node;
 	struct cs_buffers *buf;
 
-	if (cpu == -1)
-		cpu = smp_processor_id();
-	node = cpu_to_node(cpu);
+	node = (cpu == -1) ? NUMA_NO_NODE : cpu_to_node(cpu);
 
 	/* Allocate memory structure for interaction with Perf */
 	buf = kzalloc_node(sizeof(struct cs_buffers), GFP_KERNEL, node);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 39/46] coresight: tmc-etf: " Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 41/46] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kbuild test robot, Wen Huang, Kalle Valo

From: Wen Huang <huangwenabc@gmail.com>

commit e5e884b42639c74b5b57dc277909915c0aefc8bb upstream.

add_ie_rates() copys rates without checking the length
in bss descriptor from remote AP.when victim connects to
remote attacker, this may trigger buffer overflow.
lbs_ibss_join_existing() copys rates without checking the length
in bss descriptor from remote IBSS node.when victim connects to
remote attacker, this may trigger buffer overflow.
Fix them by putting the length check before performing copy.

This fix addresses CVE-2019-14896 and CVE-2019-14897.
This also fix build warning of mixed declarations and code.

Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: Wen Huang <huangwenabc@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/marvell/libertas/cfg.c |   16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

--- a/drivers/net/wireless/marvell/libertas/cfg.c
+++ b/drivers/net/wireless/marvell/libertas/cfg.c
@@ -273,6 +273,10 @@ add_ie_rates(u8 *tlv, const u8 *ie, int
 	int hw, ap, ap_max = ie[1];
 	u8 hw_rate;
 
+	if (ap_max > MAX_RATES) {
+		lbs_deb_assoc("invalid rates\n");
+		return tlv;
+	}
 	/* Advance past IE header */
 	ie += 2;
 
@@ -1720,6 +1724,9 @@ static int lbs_ibss_join_existing(struct
 	struct cmd_ds_802_11_ad_hoc_join cmd;
 	u8 preamble = RADIO_PREAMBLE_SHORT;
 	int ret = 0;
+	int hw, i;
+	u8 rates_max;
+	u8 *rates;
 
 	/* TODO: set preamble based on scan result */
 	ret = lbs_set_radio(priv, preamble, 1);
@@ -1778,9 +1785,12 @@ static int lbs_ibss_join_existing(struct
 	if (!rates_eid) {
 		lbs_add_rates(cmd.bss.rates);
 	} else {
-		int hw, i;
-		u8 rates_max = rates_eid[1];
-		u8 *rates = cmd.bss.rates;
+		rates_max = rates_eid[1];
+		if (rates_max > MAX_RATES) {
+			lbs_deb_join("invalid rates");
+			goto out;
+		}
+		rates = cmd.bss.rates;
 		for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
 			u8 hw_rate = lbs_rates[hw].bitrate / 5;
 			for (i = 0; i < rates_max; i++) {



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 41/46] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 42/46] scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hans Verkuil, Mauro Carvalho Chehab

From: Hans Verkuil <hverkuil-cisco@xs4all.nl>

commit ee8951e56c0f960b9621636603a822811cef3158 upstream.

v4l2_vbi_format, v4l2_sliced_vbi_format and v4l2_sdr_format
have a reserved array at the end that should be zeroed by drivers
as per the V4L2 spec. Older drivers often do not do this, so just
handle this in the core.

Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/v4l2-core/v4l2-ioctl.c |   24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

--- a/drivers/media/v4l2-core/v4l2-ioctl.c
+++ b/drivers/media/v4l2-core/v4l2-ioctl.c
@@ -1496,12 +1496,12 @@ static int v4l_s_fmt(const struct v4l2_i
 	case V4L2_BUF_TYPE_VBI_CAPTURE:
 		if (unlikely(!ops->vidioc_s_fmt_vbi_cap))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.vbi);
+		CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
 		return ops->vidioc_s_fmt_vbi_cap(file, fh, arg);
 	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
 		if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_cap))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sliced);
+		CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
 		return ops->vidioc_s_fmt_sliced_vbi_cap(file, fh, arg);
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
 		if (unlikely(!ops->vidioc_s_fmt_vid_out))
@@ -1524,22 +1524,22 @@ static int v4l_s_fmt(const struct v4l2_i
 	case V4L2_BUF_TYPE_VBI_OUTPUT:
 		if (unlikely(!ops->vidioc_s_fmt_vbi_out))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.vbi);
+		CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
 		return ops->vidioc_s_fmt_vbi_out(file, fh, arg);
 	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
 		if (unlikely(!ops->vidioc_s_fmt_sliced_vbi_out))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sliced);
+		CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
 		return ops->vidioc_s_fmt_sliced_vbi_out(file, fh, arg);
 	case V4L2_BUF_TYPE_SDR_CAPTURE:
 		if (unlikely(!ops->vidioc_s_fmt_sdr_cap))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sdr);
+		CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
 		return ops->vidioc_s_fmt_sdr_cap(file, fh, arg);
 	case V4L2_BUF_TYPE_SDR_OUTPUT:
 		if (unlikely(!ops->vidioc_s_fmt_sdr_out))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sdr);
+		CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
 		return ops->vidioc_s_fmt_sdr_out(file, fh, arg);
 	case V4L2_BUF_TYPE_META_CAPTURE:
 		if (unlikely(!ops->vidioc_s_fmt_meta_cap))
@@ -1583,12 +1583,12 @@ static int v4l_try_fmt(const struct v4l2
 	case V4L2_BUF_TYPE_VBI_CAPTURE:
 		if (unlikely(!ops->vidioc_try_fmt_vbi_cap))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.vbi);
+		CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
 		return ops->vidioc_try_fmt_vbi_cap(file, fh, arg);
 	case V4L2_BUF_TYPE_SLICED_VBI_CAPTURE:
 		if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_cap))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sliced);
+		CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
 		return ops->vidioc_try_fmt_sliced_vbi_cap(file, fh, arg);
 	case V4L2_BUF_TYPE_VIDEO_OUTPUT:
 		if (unlikely(!ops->vidioc_try_fmt_vid_out))
@@ -1611,22 +1611,22 @@ static int v4l_try_fmt(const struct v4l2
 	case V4L2_BUF_TYPE_VBI_OUTPUT:
 		if (unlikely(!ops->vidioc_try_fmt_vbi_out))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.vbi);
+		CLEAR_AFTER_FIELD(p, fmt.vbi.flags);
 		return ops->vidioc_try_fmt_vbi_out(file, fh, arg);
 	case V4L2_BUF_TYPE_SLICED_VBI_OUTPUT:
 		if (unlikely(!ops->vidioc_try_fmt_sliced_vbi_out))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sliced);
+		CLEAR_AFTER_FIELD(p, fmt.sliced.io_size);
 		return ops->vidioc_try_fmt_sliced_vbi_out(file, fh, arg);
 	case V4L2_BUF_TYPE_SDR_CAPTURE:
 		if (unlikely(!ops->vidioc_try_fmt_sdr_cap))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sdr);
+		CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
 		return ops->vidioc_try_fmt_sdr_cap(file, fh, arg);
 	case V4L2_BUF_TYPE_SDR_OUTPUT:
 		if (unlikely(!ops->vidioc_try_fmt_sdr_out))
 			break;
-		CLEAR_AFTER_FIELD(p, fmt.sdr);
+		CLEAR_AFTER_FIELD(p, fmt.sdr.buffersize);
 		return ops->vidioc_try_fmt_sdr_out(file, fh, arg);
 	case V4L2_BUF_TYPE_META_CAPTURE:
 		if (unlikely(!ops->vidioc_try_fmt_meta_cap))



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 42/46] scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 41/46] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 43/46] md: Avoid namespace collision with bitmap API Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bo Wu, Zhiqiang Liu, Lee Duncan,
	Martin K. Petersen

From: Bo Wu <wubo40@huawei.com>

commit bba340c79bfe3644829db5c852fdfa9e33837d6d upstream.

In iscsi_if_rx func, after receiving one request through
iscsi_if_recv_msg func, iscsi_if_send_reply will be called to try to
reply to the request in a do-while loop.  If the iscsi_if_send_reply
function keeps returning -EAGAIN, a deadlock will occur.

For example, a client only send msg without calling recvmsg func, then
it will result in the watchdog soft lockup.  The details are given as
follows:

	sock_fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ISCSI);
	retval = bind(sock_fd, (struct sock addr*) & src_addr, sizeof(src_addr);
	while (1) {
		state_msg = sendmsg(sock_fd, &msg, 0);
		//Note: recvmsg(sock_fd, &msg, 0) is not processed here.
	}
	close(sock_fd);

watchdog: BUG: soft lockup - CPU#7 stuck for 22s! [netlink_test:253305] Sample time: 4000897528 ns(HZ: 250) Sample stat:
curr: user: 675503481560, nice: 321724050, sys: 448689506750, idle: 4654054240530, iowait: 40885550700, irq: 14161174020, softirq: 8104324140, st: 0
deta: user: 0, nice: 0, sys: 3998210100, idle: 0, iowait: 0, irq: 1547170, softirq: 242870, st: 0 Sample softirq:
         TIMER:        992
         SCHED:          8
Sample irqstat:
         irq    2: delta       1003, curr:    3103802, arch_timer
CPU: 7 PID: 253305 Comm: netlink_test Kdump: loaded Tainted: G           OE
Hardware name: QEMU KVM Virtual Machine, BIOS 0.0.0 02/06/2015
pstate: 40400005 (nZcv daif +PAN -UAO)
pc : __alloc_skb+0x104/0x1b0
lr : __alloc_skb+0x9c/0x1b0
sp : ffff000033603a30
x29: ffff000033603a30 x28: 00000000000002dd
x27: ffff800b34ced810 x26: ffff800ba7569f00
x25: 00000000ffffffff x24: 0000000000000000
x23: ffff800f7c43f600 x22: 0000000000480020
x21: ffff0000091d9000 x20: ffff800b34eff200
x19: ffff800ba7569f00 x18: 0000000000000000
x17: 0000000000000000 x16: 0000000000000000
x15: 0000000000000000 x14: 0001000101000100
x13: 0000000101010000 x12: 0101000001010100
x11: 0001010101010001 x10: 00000000000002dd
x9 : ffff000033603d58 x8 : ffff800b34eff400
x7 : ffff800ba7569200 x6 : ffff800b34eff400
x5 : 0000000000000000 x4 : 00000000ffffffff
x3 : 0000000000000000 x2 : 0000000000000001
x1 : ffff800b34eff2c0 x0 : 0000000000000300 Call trace:
__alloc_skb+0x104/0x1b0
iscsi_if_rx+0x144/0x12bc [scsi_transport_iscsi]
netlink_unicast+0x1e0/0x258
netlink_sendmsg+0x310/0x378
sock_sendmsg+0x4c/0x70
sock_write_iter+0x90/0xf0
__vfs_write+0x11c/0x190
vfs_write+0xac/0x1c0
ksys_write+0x6c/0xd8
__arm64_sys_write+0x24/0x30
el0_svc_common+0x78/0x130
el0_svc_handler+0x38/0x78
el0_svc+0x8/0xc

Link: https://lore.kernel.org/r/EDBAAA0BBBA2AC4E9C8B6B81DEEE1D6915E3D4D2@dggeml505-mbx.china.huawei.com
Signed-off-by: Bo Wu <wubo40@huawei.com>
Reviewed-by: Zhiqiang Liu <liuzhiqiang26@huawei.com>
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_transport_iscsi.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -37,6 +37,8 @@
 
 #define ISCSI_TRANSPORT_VERSION "2.0-870"
 
+#define ISCSI_SEND_MAX_ALLOWED  10
+
 static int dbg_session;
 module_param_named(debug_session, dbg_session, int,
 		   S_IRUGO | S_IWUSR);
@@ -3680,6 +3682,7 @@ iscsi_if_rx(struct sk_buff *skb)
 		struct nlmsghdr	*nlh;
 		struct iscsi_uevent *ev;
 		uint32_t group;
+		int retries = ISCSI_SEND_MAX_ALLOWED;
 
 		nlh = nlmsg_hdr(skb);
 		if (nlh->nlmsg_len < sizeof(*nlh) + sizeof(*ev) ||
@@ -3710,6 +3713,10 @@ iscsi_if_rx(struct sk_buff *skb)
 				break;
 			err = iscsi_if_send_reply(portid, nlh->nlmsg_type,
 						  ev, sizeof(*ev));
+			if (err == -EAGAIN && --retries < 0) {
+				printk(KERN_WARNING "Send reply failed, error %d\n", err);
+				break;
+			}
 		} while (err < 0 && err != -ECONNREFUSED && err != -ESRCH);
 		skb_pull(skb, rlen);
 	}



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 43/46] md: Avoid namespace collision with bitmap API
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 42/46] scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 44/46] bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Shaohua Li, Dmitry Torokhov

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit e64e4018d572710c44f42c923d4ac059f0a23320 upstream.

bitmap API (include/linux/bitmap.h) has 'bitmap' prefix for its methods.

On the other hand MD bitmap API is special case.
Adding 'md' prefix to it to avoid name space collision.

No functional changes intended.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Shaohua Li <shli@kernel.org>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
[only take the bitmap_free change for stable - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/md/bitmap.c     |   10 +++++-----
 drivers/md/bitmap.h     |    2 +-
 drivers/md/md-cluster.c |    6 +++---
 3 files changed, 9 insertions(+), 9 deletions(-)

--- a/drivers/md/bitmap.c
+++ b/drivers/md/bitmap.c
@@ -1729,7 +1729,7 @@ void bitmap_flush(struct mddev *mddev)
 /*
  * free memory that was allocated
  */
-void bitmap_free(struct bitmap *bitmap)
+void md_bitmap_free(struct bitmap *bitmap)
 {
 	unsigned long k, pages;
 	struct bitmap_page *bp;
@@ -1763,7 +1763,7 @@ void bitmap_free(struct bitmap *bitmap)
 	kfree(bp);
 	kfree(bitmap);
 }
-EXPORT_SYMBOL(bitmap_free);
+EXPORT_SYMBOL(md_bitmap_free);
 
 void bitmap_wait_behind_writes(struct mddev *mddev)
 {
@@ -1796,7 +1796,7 @@ void bitmap_destroy(struct mddev *mddev)
 	if (mddev->thread)
 		mddev->thread->timeout = MAX_SCHEDULE_TIMEOUT;
 
-	bitmap_free(bitmap);
+	md_bitmap_free(bitmap);
 }
 
 /*
@@ -1887,7 +1887,7 @@ struct bitmap *bitmap_create(struct mdde
 
 	return bitmap;
  error:
-	bitmap_free(bitmap);
+	md_bitmap_free(bitmap);
 	return ERR_PTR(err);
 }
 
@@ -1958,7 +1958,7 @@ struct bitmap *get_bitmap_from_slot(stru
 
 	rv = bitmap_init_from_disk(bitmap, 0);
 	if (rv) {
-		bitmap_free(bitmap);
+		md_bitmap_free(bitmap);
 		return ERR_PTR(rv);
 	}
 
--- a/drivers/md/bitmap.h
+++ b/drivers/md/bitmap.h
@@ -271,7 +271,7 @@ int bitmap_resize(struct bitmap *bitmap,
 struct bitmap *get_bitmap_from_slot(struct mddev *mddev, int slot);
 int bitmap_copy_from_slot(struct mddev *mddev, int slot,
 				sector_t *lo, sector_t *hi, bool clear_bits);
-void bitmap_free(struct bitmap *bitmap);
+void md_bitmap_free(struct bitmap *bitmap);
 void bitmap_wait_behind_writes(struct mddev *mddev);
 #endif
 
--- a/drivers/md/md-cluster.c
+++ b/drivers/md/md-cluster.c
@@ -1128,7 +1128,7 @@ int cluster_check_sync_size(struct mddev
 		bm_lockres = lockres_init(mddev, str, NULL, 1);
 		if (!bm_lockres) {
 			pr_err("md-cluster: Cannot initialize %s\n", str);
-			bitmap_free(bitmap);
+			md_bitmap_free(bitmap);
 			return -1;
 		}
 		bm_lockres->flags |= DLM_LKF_NOQUEUE;
@@ -1142,11 +1142,11 @@ int cluster_check_sync_size(struct mddev
 			sync_size = sb->sync_size;
 		else if (sync_size != sb->sync_size) {
 			kunmap_atomic(sb);
-			bitmap_free(bitmap);
+			md_bitmap_free(bitmap);
 			return -1;
 		}
 		kunmap_atomic(sb);
-		bitmap_free(bitmap);
+		md_bitmap_free(bitmap);
 	}
 
 	return (my_sync_size == sync_size) ? 0 : -1;



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 44/46] bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free()
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 43/46] md: Avoid namespace collision with bitmap API Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 45/46] netfilter: ipset: use bitmap infrastructure completely Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Dmitry Torokhov

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

commit c42b65e363ce97a828f81b59033c3558f8fa7f70 upstream.

A lot of code become ugly because of open coding allocations for bitmaps.

Introduce three helpers to allow users be more clear of intention
and keep their code neat.

Note, due to multiple circular dependencies we may not provide
the helpers as inliners. For now we keep them exported and, perhaps,
at some point in the future we will sort out header inclusion and
inheritance.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/bitmap.h |    8 ++++++++
 lib/bitmap.c           |   20 ++++++++++++++++++++
 2 files changed, 28 insertions(+)

--- a/include/linux/bitmap.h
+++ b/include/linux/bitmap.h
@@ -87,6 +87,14 @@
  */
 
 /*
+ * Allocation and deallocation of bitmap.
+ * Provided in lib/bitmap.c to avoid circular dependency.
+ */
+extern unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags);
+extern unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags);
+extern void bitmap_free(const unsigned long *bitmap);
+
+/*
  * lib/bitmap.c provides these functions:
  */
 
--- a/lib/bitmap.c
+++ b/lib/bitmap.c
@@ -13,6 +13,7 @@
 #include <linux/bitops.h>
 #include <linux/bug.h>
 #include <linux/kernel.h>
+#include <linux/slab.h>
 #include <linux/string.h>
 #include <linux/uaccess.h>
 
@@ -1212,3 +1213,22 @@ void bitmap_copy_le(unsigned long *dst,
 }
 EXPORT_SYMBOL(bitmap_copy_le);
 #endif
+
+unsigned long *bitmap_alloc(unsigned int nbits, gfp_t flags)
+{
+	return kmalloc_array(BITS_TO_LONGS(nbits), sizeof(unsigned long),
+			     flags);
+}
+EXPORT_SYMBOL(bitmap_alloc);
+
+unsigned long *bitmap_zalloc(unsigned int nbits, gfp_t flags)
+{
+	return bitmap_alloc(nbits, flags | __GFP_ZERO);
+}
+EXPORT_SYMBOL(bitmap_zalloc);
+
+void bitmap_free(const unsigned long *bitmap)
+{
+	kfree(bitmap);
+}
+EXPORT_SYMBOL(bitmap_free);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 45/46] netfilter: ipset: use bitmap infrastructure completely
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 44/46] bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 13:58 ` [PATCH 4.14 46/46] net/x25: fix nonblocking connect Greg Kroah-Hartman
                   ` (4 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+fabca5cbf5e54f3fe2de,
	syzbot+827ced406c9a1d9570ed, syzbot+190d63957b22ef673ea5,
	syzbot+dfccdb2bdb4a12ad425e, syzbot+df0d0f5895ef1f41a65b,
	syzbot+b08bd19bb37513357fd4, syzbot+53cdd0ec0bbabd53370a,
	Jozsef Kadlecsik, Pablo Neira Ayuso

From: Kadlecsik József <kadlec@blackhole.kfki.hu>

commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream.

The bitmap allocation did not use full unsigned long sizes
when calculating the required size and that was triggered by KASAN
as slab-out-of-bounds read in several places. The patch fixes all
of them.

Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com
Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com
Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com
Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com
Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com
Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com
Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 include/linux/netfilter/ipset/ip_set.h    |    7 -------
 net/netfilter/ipset/ip_set_bitmap_gen.h   |    2 +-
 net/netfilter/ipset/ip_set_bitmap_ip.c    |    6 +++---
 net/netfilter/ipset/ip_set_bitmap_ipmac.c |    6 +++---
 net/netfilter/ipset/ip_set_bitmap_port.c  |    6 +++---
 5 files changed, 10 insertions(+), 17 deletions(-)

--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -445,13 +445,6 @@ ip6addrptr(const struct sk_buff *skb, bo
 	       sizeof(*addr));
 }
 
-/* Calculate the bytes required to store the inclusive range of a-b */
-static inline int
-bitmap_bytes(u32 a, u32 b)
-{
-	return 4 * ((((b - a + 8) / 8) + 3) / 4);
-}
-
 #include <linux/netfilter/ipset/ip_set_timeout.h>
 #include <linux/netfilter/ipset/ip_set_comment.h>
 #include <linux/netfilter/ipset/ip_set_counter.h>
--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
+++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
@@ -79,7 +79,7 @@ mtype_flush(struct ip_set *set)
 
 	if (set->extensions & IPSET_EXT_DESTROY)
 		mtype_ext_cleanup(set);
-	memset(map->members, 0, map->memsize);
+	bitmap_zero(map->members, map->elements);
 	set->elements = 0;
 	set->ext_size = 0;
 }
--- a/net/netfilter/ipset/ip_set_bitmap_ip.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ip.c
@@ -40,7 +40,7 @@ MODULE_ALIAS("ip_set_bitmap:ip");
 
 /* Type structure */
 struct bitmap_ip {
-	void *members;		/* the set members */
+	unsigned long *members;	/* the set members */
 	u32 first_ip;		/* host byte order, included in range */
 	u32 last_ip;		/* host byte order, included in range */
 	u32 elements;		/* number of max elements in the set */
@@ -222,7 +222,7 @@ init_map_ip(struct ip_set *set, struct b
 	    u32 first_ip, u32 last_ip,
 	    u32 elements, u32 hosts, u8 netmask)
 {
-	map->members = ip_set_alloc(map->memsize);
+	map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
 	if (!map->members)
 		return false;
 	map->first_ip = first_ip;
@@ -315,7 +315,7 @@ bitmap_ip_create(struct net *net, struct
 	if (!map)
 		return -ENOMEM;
 
-	map->memsize = bitmap_bytes(0, elements - 1);
+	map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
 	set->variant = &bitmap_ip;
 	if (!init_map_ip(set, map, first_ip, last_ip,
 			 elements, hosts, netmask)) {
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -46,7 +46,7 @@ enum {
 
 /* Type structure */
 struct bitmap_ipmac {
-	void *members;		/* the set members */
+	unsigned long *members;	/* the set members */
 	u32 first_ip;		/* host byte order, included in range */
 	u32 last_ip;		/* host byte order, included in range */
 	u32 elements;		/* number of max elements in the set */
@@ -299,7 +299,7 @@ static bool
 init_map_ipmac(struct ip_set *set, struct bitmap_ipmac *map,
 	       u32 first_ip, u32 last_ip, u32 elements)
 {
-	map->members = ip_set_alloc(map->memsize);
+	map->members = bitmap_zalloc(elements, GFP_KERNEL | __GFP_NOWARN);
 	if (!map->members)
 		return false;
 	map->first_ip = first_ip;
@@ -363,7 +363,7 @@ bitmap_ipmac_create(struct net *net, str
 	if (!map)
 		return -ENOMEM;
 
-	map->memsize = bitmap_bytes(0, elements - 1);
+	map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
 	set->variant = &bitmap_ipmac;
 	if (!init_map_ipmac(set, map, first_ip, last_ip, elements)) {
 		kfree(map);
--- a/net/netfilter/ipset/ip_set_bitmap_port.c
+++ b/net/netfilter/ipset/ip_set_bitmap_port.c
@@ -34,7 +34,7 @@ MODULE_ALIAS("ip_set_bitmap:port");
 
 /* Type structure */
 struct bitmap_port {
-	void *members;		/* the set members */
+	unsigned long *members;	/* the set members */
 	u16 first_port;		/* host byte order, included in range */
 	u16 last_port;		/* host byte order, included in range */
 	u32 elements;		/* number of max elements in the set */
@@ -207,7 +207,7 @@ static bool
 init_map_port(struct ip_set *set, struct bitmap_port *map,
 	      u16 first_port, u16 last_port)
 {
-	map->members = ip_set_alloc(map->memsize);
+	map->members = bitmap_zalloc(map->elements, GFP_KERNEL | __GFP_NOWARN);
 	if (!map->members)
 		return false;
 	map->first_port = first_port;
@@ -250,7 +250,7 @@ bitmap_port_create(struct net *net, stru
 		return -ENOMEM;
 
 	map->elements = elements;
-	map->memsize = bitmap_bytes(0, map->elements);
+	map->memsize = BITS_TO_LONGS(elements) * sizeof(unsigned long);
 	set->variant = &bitmap_port;
 	if (!init_map_port(set, map, first_port, last_port)) {
 		kfree(map);



^ permalink raw reply	[flat|nested] 56+ messages in thread

* [PATCH 4.14 46/46] net/x25: fix nonblocking connect
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 45/46] netfilter: ipset: use bitmap infrastructure completely Greg Kroah-Hartman
@ 2020-01-28 13:58 ` Greg Kroah-Hartman
  2020-01-28 23:05 ` [PATCH 4.14 00/46] 4.14.169-stable review shuah
                   ` (3 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Greg Kroah-Hartman @ 2020-01-28 13:58 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Schiller,
	syzbot+429c200ffc8772bfe070, syzbot+eec0c87f31a7c3b66f7b,
	David S. Miller

From: Martin Schiller <ms@dev.tdt.de>

commit e21dba7a4df4d93da237da65a096084b4f2e87b4 upstream.

This patch fixes 2 issues in x25_connect():

1. It makes absolutely no sense to reset the neighbour and the
connection state after a (successful) nonblocking call of x25_connect.
This prevents any connection from being established, since the response
(call accept) cannot be processed.

2. Any further calls to x25_connect() while a call is pending should
simply return, instead of creating new Call Request (on different
logical channels).

This patch should also fix the "KASAN: null-ptr-deref Write in
x25_connect" and "BUG: unable to handle kernel NULL pointer dereference
in x25_connect" bugs reported by syzbot.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com
Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/x25/af_x25.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -764,6 +764,10 @@ static int x25_connect(struct socket *so
 	if (sk->sk_state == TCP_ESTABLISHED)
 		goto out;
 
+	rc = -EALREADY;	/* Do nothing if call is already in progress */
+	if (sk->sk_state == TCP_SYN_SENT)
+		goto out;
+
 	sk->sk_state   = TCP_CLOSE;
 	sock->state = SS_UNCONNECTED;
 
@@ -810,7 +814,7 @@ static int x25_connect(struct socket *so
 	/* Now the loop */
 	rc = -EINPROGRESS;
 	if (sk->sk_state != TCP_ESTABLISHED && (flags & O_NONBLOCK))
-		goto out_put_neigh;
+		goto out;
 
 	rc = x25_wait_for_connection_establishment(sk);
 	if (rc)



^ permalink raw reply	[flat|nested] 56+ messages in thread

* Re: [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2020-01-28 13:58 ` [PATCH 4.14 46/46] net/x25: fix nonblocking connect Greg Kroah-Hartman
@ 2020-01-28 23:05 ` shuah
  2020-01-29  4:53   ` [LTP] " Naresh Kamboju
                   ` (2 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: shuah @ 2020-01-28 23:05 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, patches, ben.hutchings, lkft-triage,
	stable, shuah

On 1/28/20 6:57 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.169 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.169-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

thanks,
-- Shuah


^ permalink raw reply	[flat|nested] 56+ messages in thread

* Re: [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
@ 2020-01-29  4:53   ` Naresh Kamboju
  2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
                     ` (48 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Naresh Kamboju @ 2020-01-29  4:53 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, Ben Hutchings, lkft-triage, linux- stable,
	LTP List, Jan Stancek, rpalethorpe

On Tue, 28 Jan 2020 at 19:28, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.14.169 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.169-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

NOTE:
LTP fs test read_all_proc fails intermittently on 4.9 and 4.14 branches.

Summary
------------------------------------------------------------------------

kernel: 4.14.169-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 5986a79ae28421d7027cb4ab78fba7d787a9f06e
git describe: v4.14.168-47-g5986a79ae284
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.168-47-g5986a79ae284

No regressions (compared to build v4.14.168)

No fixes (compared to build v4.14.168)

Ran 24221 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* network-basic-tests
* ltp-open-posix-tests
* kvm-unit-tests
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 56+ messages in thread

* [LTP] [PATCH 4.14 00/46] 4.14.169-stable review
@ 2020-01-29  4:53   ` Naresh Kamboju
  0 siblings, 0 replies; 56+ messages in thread
From: Naresh Kamboju @ 2020-01-29  4:53 UTC (permalink / raw)
  To: ltp

On Tue, 28 Jan 2020 at 19:28, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.14.169 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.169-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro?s test farm.
No regressions on arm64, arm, x86_64, and i386.

NOTE:
LTP fs test read_all_proc fails intermittently on 4.9 and 4.14 branches.

Summary
------------------------------------------------------------------------

kernel: 4.14.169-rc1
git repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
git branch: linux-4.14.y
git commit: 5986a79ae28421d7027cb4ab78fba7d787a9f06e
git describe: v4.14.168-47-g5986a79ae284
Test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/build/v4.14.168-47-g5986a79ae284

No regressions (compared to build v4.14.168)

No fixes (compared to build v4.14.168)

Ran 24221 total tests in the following environments and test suites.

Environments
--------------
- dragonboard-410c - arm64
- hi6220-hikey - arm64
- i386
- juno-r2 - arm64
- qemu_arm
- qemu_arm64
- qemu_i386
- qemu_x86_64
- x15 - arm
- x86_64

Test Suites
-----------
* build
* install-android-platform-tools-r2600
* kselftest
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-cpuhotplug-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* perf
* spectre-meltdown-checker-test
* v4l2-compliance
* network-basic-tests
* ltp-open-posix-tests
* kvm-unit-tests
* ssuite
* kselftest-vsyscall-mode-native
* kselftest-vsyscall-mode-none

-- 
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 56+ messages in thread

* [LTP] [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-29  4:53   ` [LTP] " Naresh Kamboju
  (?)
@ 2020-01-29  9:16   ` Jan Stancek
  2020-01-29 10:27     ` Naresh Kamboju
  -1 siblings, 1 reply; 56+ messages in thread
From: Jan Stancek @ 2020-01-29  9:16 UTC (permalink / raw)
  To: ltp



----- Original Message -----
> NOTE:
> LTP fs test read_all_proc fails intermittently on 4.9 and 4.14 branches.

[trim CC list to LTP]

Naresh, do you have some examples of these failures?
Has it started recently or do you see it long-term?
Is test timing out on some specific /proc entries?
If yes, is it possible to run test with strace or with "-v" so we can
see where it's getting stuck?

Thanks,
Jan


^ permalink raw reply	[flat|nested] 56+ messages in thread

* [LTP] [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-29  9:16   ` Jan Stancek
@ 2020-01-29 10:27     ` Naresh Kamboju
  2020-01-31  9:45       ` Jan Stancek
  0 siblings, 1 reply; 56+ messages in thread
From: Naresh Kamboju @ 2020-01-29 10:27 UTC (permalink / raw)
  To: ltp

On Wed, 29 Jan 2020 at 14:46, Jan Stancek <jstancek@redhat.com> wrote:
>
>
>
> ----- Original Message -----
> > NOTE:
> > LTP fs test read_all_proc fails intermittently on 4.9 and 4.14 branches.
>
> [trim CC list to LTP]
>
> Naresh, do you have some examples of these failures?

Yes.
I have posted the links below.

> Has it started recently or do you see it long-term?

We have seen this from a this test is introduced.
Not specific to any branch. This failure is intermittent and found on
multiple trees and branches.

> Is test timing out on some specific /proc entries?

Yes. When running on qemu devices it is getting timedout.

> If yes, is it possible to run test with strace or with "-v" so we can
> see where it's getting stuck?

Test failed links,
https://lkft.validation.linaro.org/scheduler/job/1143332#L1271
https://lkft.validation.linaro.org/scheduler/job/1143281#L3969
https://lkft.validation.linaro.org/scheduler/job/1142547#L1719
https://lkft.validation.linaro.org/scheduler/job/1145024#L677
https://lkft.validation.linaro.org/scheduler/job/1142037#L4225

Test results comparison link,
https://qa-reports.linaro.org/lkft/linux-stable-rc-4.14-oe/tests/ltp-fs-tests/read_all_proc
https://qa-reports.linaro.org/lkft/linux-stable-rc-4.9-oe/tests/ltp-fs-tests/read_all_proc

example crash output:
------------------------------
tst_test.c:1118: INFO: Timeout per run is 0h 15m 00s
[ 1136.978957] BUG: unable to handle kernel NULL pointer dereference at 00000004
[ 1136.979046] IP: [<c125da77>] path_openat+0xd7/0x16d0
[ 1136.979046] *pde = 00000000 [ 1136.979046]
[ 1136.979046] Oops: 0000 [#1] SMP
[ 1136.979046] Modules linked in: tun fuse
[ 1136.979046] CPU: 1 PID: 6535 Comm: read_all Not tainted 4.9.212-rc2 #1
[ 1136.979046] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.12.0-1 04/01/2014
[ 1136.979046] task: f56e6300 task.stack: f3ada000
[ 1136.979046] EIP: 0060:[<c125da77>] EFLAGS: 00010246 CPU: 1
[ 1136.979046] EIP is at path_openat+0xd7/0x16d0
[ 1136.979046] EAX: 00000000 EBX: f3fb6210 ECX: f3adbf54 EDX: 0000000d
[ 1136.979046] ESI: 00000800 EDI: f3adbea4 EBP: f3adbe98 ESP: f3adbddc
[ 1136.979046]  DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
[ 1136.979046] CR0: 80050033 CR2: 00000004 CR3: 33a72000 CR4: 003406d0
[ 1136.979046] Stack:
[ 1136.979046]  f3adbe38 00000246 f56e6300 f56e6300 00000001 f56e6300
00000001 f56e6300
[ 1136.979046]  f3adbeac f56e6300 00000001 00000041 f56e68a8 f3a7e500
00000046 f56e6300
[ 1136.979046]  00000000 f3adbf54 00000000 00000000 f56e68a8 f3adbeb8
c111fcde c26cd460
[ 1136.979046] Call Trace:
[ 1136.979046]  [<c111fcde>] ? __lock_acquire+0x24e/0x12e0
[ 1136.979046]  [<c113c87a>] ? debug_lockdep_rcu_enabled+0x1a/0x30
[ 1136.979046]  [<c126009e>] do_filp_open+0x5e/0xb0
[ 1136.979046]  [<c1af1b72>] ? _raw_spin_unlock+0x22/0x30
[ 1136.979046]  [<c1270eed>] ? __alloc_fd+0xbd/0x1d0
[ 1136.979046]  [<c124ce1c>] do_sys_open+0x19c/0x240
[ 1136.979046]  [<c1214e11>] ? __might_fault+0x41/0xa0
[ 1136.979046]  [<c124cf10>] SyS_openat+0x20/0x30
[ 1136.979046]  [<c1001cd8>] do_fast_syscall_32+0xa8/0x240
[ 1136.979046]  [<c1af2330>] sysenter_past_esp+0x45/0x74
[ 1136.979046] Code: 20 f2 ff ff 3d 00 f0 ff ff 0f 87 85 05 00 00 89
fa e8 5e ec ff ff 85 c0 89 c6 0f 85 76 05 00 00 8b 5f 04 8b 4d 88 8b
43 30 8b 31 <8b> 50 04 0f b7 00 89 75 8c 81 e6 00 02 00 00 89 75 80 89
95 74
[ 1136.979046] EIP: [<c125da77>] [ 1136.979046] path_openat+0xd7/0x16d0
[ 1136.979046]  SS:ESP 0068:f3adbddc
[ 1136.979046] CR2: 0000000000000004
[ 1136.979046] ---[ end trace 01501609579dce3c ]---
[ 1136.979046] BUG: sleeping function called from invalid context at
/usr/src/kernel/include/linux/sched.h:3154
[ 1136.979046] in_atomic(): 1, irqs_disabled(): 1, pid: 6535, name: read_all
[ 1136.979046] INFO: lockdep is turned off.
[ 1136.979046] irq event stamp: 14908
[ 1136.979046] hardirqs last  enabled at (14907): [<c125c084>]
lookup_fast+0x1f4/0x330
[ 1136.979046] hardirqs last disabled at (14908): [<c1af327f>]
error_code+0x5b/0x7c
[ 1136.979046] softirqs last  enabled at (13428): [<c1af5695>]
__do_softirq+0x2e5/0x457
[ 1136.979046] softirqs last disabled at (13421): [<c108b835>]
call_on_stack+0x45/0x50
[ 1136.979046] CPU: 1 PID: 6535 Comm: read_all Tainted: G      D
  4.9.212-rc2 #1
[ 1136.979046] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.12.0-1 04/01/2014
[ 1136.979046]  f3adbee4 c142af02 f56e6300 f56e6788 f3adbf0c c10f6598
c1db2154 00000001
[ 1136.979046]  00000001 00001987 f56e6788 f56e6300 00000000 f56e6300
f3adbf40 c10f66d3
[ 1136.979046]  00000000 00000800 00000002 ffffff9c f57d4000 00000006
ffffff9c f3adbf74
[ 1136.979046] Call Trace:
[ 1136.979046]  [<c142af02>] dump_stack+0x6e/0x9c
[ 1136.979046]  [<c10f6598>] ___might_sleep+0x138/0x240
[ 1136.979046]  [<c10f66d3>] __might_sleep+0x33/0xa0
[ 1136.979046]  [<c124ce1c>] ? do_sys_open+0x19c/0x240
[ 1136.979046]  [<c10de76f>] exit_signals+0x1f/0x220
[ 1136.979046]  [<c10d098b>] do_exit+0x8b/0xbd0
[ 1136.979046]  [<c124cf10>] ? SyS_openat+0x20/0x30
[ 1136.979046]  [<c1001cd8>] ? do_fast_syscall_32+0xa8/0x240
[ 1136.979046]  [<c1af342d>] rewind_stack_do_exit+0x11/0x13
[ 1136.979046] note: read_all[6535] exited with preempt_count 1
read_all.c:313: BROK: queue_push(workers[j].q, path) timed out

- Naresh

^ permalink raw reply	[flat|nested] 56+ messages in thread

* Re: [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
@ 2020-01-29 13:13   ` Jon Hunter
  2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
                     ` (48 subsequent siblings)
  49 siblings, 0 replies; 56+ messages in thread
From: Jon Hunter @ 2020-01-29 13:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 28/01/2020 13:57, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.169 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.169-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v4.14:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    24 tests:	24 pass, 0 fail

Linux version:	4.14.169-rc1-g5986a79ae284
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 56+ messages in thread

* Re: [PATCH 4.14 00/46] 4.14.169-stable review
@ 2020-01-29 13:13   ` Jon Hunter
  0 siblings, 0 replies; 56+ messages in thread
From: Jon Hunter @ 2020-01-29 13:13 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, ben.hutchings,
	lkft-triage, stable, linux-tegra


On 28/01/2020 13:57, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.169 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.169-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.14.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h

All tests are passing for Tegra ...

Test results for stable-v4.14:
    8 builds:	8 pass, 0 fail
    16 boots:	16 pass, 0 fail
    24 tests:	24 pass, 0 fail

Linux version:	4.14.169-rc1-g5986a79ae284
Boards tested:	tegra124-jetson-tk1, tegra20-ventana,
                tegra210-p2371-2180, tegra30-cardhu-a04

Cheers
Jon

-- 
nvpublic

^ permalink raw reply	[flat|nested] 56+ messages in thread

* Re: [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2020-01-29 13:13   ` Jon Hunter
@ 2020-01-29 14:42 ` Guenter Roeck
  49 siblings, 0 replies; 56+ messages in thread
From: Guenter Roeck @ 2020-01-29 14:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, ben.hutchings,
	lkft-triage, stable

On Tue, Jan 28, 2020 at 02:57:34PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.14.169 release.
> There are 46 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Thu, 30 Jan 2020 13:57:09 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 172 pass: 172 fail: 0
Qemu test results:
	total: 374 pass: 374 fail: 0

Guenter

^ permalink raw reply	[flat|nested] 56+ messages in thread

* [LTP] [PATCH 4.14 00/46] 4.14.169-stable review
  2020-01-29 10:27     ` Naresh Kamboju
@ 2020-01-31  9:45       ` Jan Stancek
  0 siblings, 0 replies; 56+ messages in thread
From: Jan Stancek @ 2020-01-31  9:45 UTC (permalink / raw)
  To: ltp



----- Original Message -----
> On Wed, 29 Jan 2020 at 14:46, Jan Stancek <jstancek@redhat.com> wrote:
> >
> >
> >
> > ----- Original Message -----
> > > NOTE:
> > > LTP fs test read_all_proc fails intermittently on 4.9 and 4.14 branches.
> >
> > [trim CC list to LTP]
> >
> > Naresh, do you have some examples of these failures?
> 
> Yes.
> I have posted the links below.
> 
> > Has it started recently or do you see it long-term?
> 
> We have seen this from a this test is introduced.
> Not specific to any branch. This failure is intermittent and found on
> multiple trees and branches.

Those look like kernel bugs, but it's hard to see what /proc entries
trigger it.

I've been running v5.5 and read_all_proc for ~24 hours on aarch64,
but so far no crashes.


^ permalink raw reply	[flat|nested] 56+ messages in thread

end of thread, other threads:[~2020-01-31  9:45 UTC | newest]

Thread overview: 56+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-28 13:57 [PATCH 4.14 00/46] 4.14.169-stable review Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 01/46] can, slip: Protect tty->disc_data in write_wakeup and close with RCU Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 02/46] firestream: fix memory leaks Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 03/46] gtp: make sure only SOCK_DGRAM UDP sockets are accepted Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 04/46] ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 05/46] net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 06/46] net, ip6_tunnel: fix namespaces move Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 07/46] net, ip_tunnel: " Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 08/46] net_sched: fix datalen for ematch Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 09/46] net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 10/46] net-sysfs: fix netdev_queue_add_kobject() breakage Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 11/46] net-sysfs: Call dev_hold always in netdev_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 12/46] net-sysfs: Call dev_hold always in rx_queue_add_kobject Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 13/46] net-sysfs: Fix reference count leak Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 14/46] net: usb: lan78xx: Add .ndo_features_check Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 15/46] tcp_bbr: improve arithmetic division in bbr_update_bw() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 16/46] net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 17/46] hwmon: (adt7475) Make volt2reg return same reg as reg2volt input Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 18/46] hwmon: Deal with errors from the thermal subsystem Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 19/46] hwmon: (core) Fix double-free in __hwmon_device_register() Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 20/46] hwmon: (core) Do not use device managed functions for memory allocations Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 21/46] Input: keyspan-remote - fix control-message timeouts Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 22/46] Revert "Input: synaptics-rmi4 - dont increment rmiaddr for SMBus transfers" Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 23/46] ARM: 8950/1: ftrace/recordmcount: filter relocation types Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 24/46] mmc: tegra: fix SDR50 tuning override Greg Kroah-Hartman
2020-01-28 13:57 ` [PATCH 4.14 25/46] mmc: sdhci: fix minimum clock rate for v3 controller Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 26/46] Documentation: Document arm64 kpti control Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 27/46] Input: pm8xxx-vib - fix handling of separate enable register Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 28/46] Input: sur40 - fix interface sanity checks Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 29/46] Input: gtco - fix endpoint sanity check Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 30/46] Input: aiptek " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 31/46] Input: pegasus_notetaker " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 32/46] Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 33/46] hwmon: (nct7802) Fix voltage limits to wrong registers Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 34/46] scsi: RDMA/isert: Fix a recently introduced regression related to logout Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 35/46] tracing: xen: Ordered comparison of function pointers Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 36/46] do_last(): fetch directory ->i_mode and ->i_uid before its too late Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 37/46] sd: Fix REQ_OP_ZONE_REPORT completion handling Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 38/46] coresight: etb10: Do not call smp_processor_id from preemptible Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 39/46] coresight: tmc-etf: " Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 40/46] libertas: Fix two buffer overflows at parsing bss descriptor Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 41/46] media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 42/46] scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 43/46] md: Avoid namespace collision with bitmap API Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 44/46] bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 45/46] netfilter: ipset: use bitmap infrastructure completely Greg Kroah-Hartman
2020-01-28 13:58 ` [PATCH 4.14 46/46] net/x25: fix nonblocking connect Greg Kroah-Hartman
2020-01-28 23:05 ` [PATCH 4.14 00/46] 4.14.169-stable review shuah
2020-01-29  4:53 ` Naresh Kamboju
2020-01-29  4:53   ` [LTP] " Naresh Kamboju
2020-01-29  9:16   ` Jan Stancek
2020-01-29 10:27     ` Naresh Kamboju
2020-01-31  9:45       ` Jan Stancek
2020-01-29 13:13 ` Jon Hunter
2020-01-29 13:13   ` Jon Hunter
2020-01-29 14:42 ` Guenter Roeck

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.